Analysis
-
max time kernel
181s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 23:40
Static task
static1
Behavioral task
behavioral1
Sample
1a579c3c244c6d61a663d33552b5057b.exe
Resource
win7-20231215-en
General
-
Target
1a579c3c244c6d61a663d33552b5057b.exe
-
Size
1.0MB
-
MD5
1a579c3c244c6d61a663d33552b5057b
-
SHA1
8f8cad540acbc396c5fdca0f445af7af0bd4df89
-
SHA256
657ed0632158da9edb4f46a8086e9ec6167c332dc89e6a106e7891577845f574
-
SHA512
d68b8e6b5259f1664e83420fe0a6ff5e0bbe8bf15be432e427d25a16717a967c52a17dea289ac3072094c18f9655d47916c37054f4fbcb113af950deff07c3e6
-
SSDEEP
24576:XCla/6N1I2rXccaMf+VpfPQy2i9XKtG6y4gs:ylk6N1JQ9M63j0/
Malware Config
Extracted
redline
WW
boterov.com:58198
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/1192-13-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/1192-13-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral2/memory/3648-7-0x0000000002CD0000-0x0000000002CE2000-memory.dmp CustAttr -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3648 set thread context of 1192 3648 1a579c3c244c6d61a663d33552b5057b.exe 103 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3648 1a579c3c244c6d61a663d33552b5057b.exe 3648 1a579c3c244c6d61a663d33552b5057b.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3648 1a579c3c244c6d61a663d33552b5057b.exe Token: SeDebugPrivilege 1192 1a579c3c244c6d61a663d33552b5057b.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3648 wrote to memory of 388 3648 1a579c3c244c6d61a663d33552b5057b.exe 102 PID 3648 wrote to memory of 388 3648 1a579c3c244c6d61a663d33552b5057b.exe 102 PID 3648 wrote to memory of 388 3648 1a579c3c244c6d61a663d33552b5057b.exe 102 PID 3648 wrote to memory of 1192 3648 1a579c3c244c6d61a663d33552b5057b.exe 103 PID 3648 wrote to memory of 1192 3648 1a579c3c244c6d61a663d33552b5057b.exe 103 PID 3648 wrote to memory of 1192 3648 1a579c3c244c6d61a663d33552b5057b.exe 103 PID 3648 wrote to memory of 1192 3648 1a579c3c244c6d61a663d33552b5057b.exe 103 PID 3648 wrote to memory of 1192 3648 1a579c3c244c6d61a663d33552b5057b.exe 103 PID 3648 wrote to memory of 1192 3648 1a579c3c244c6d61a663d33552b5057b.exe 103 PID 3648 wrote to memory of 1192 3648 1a579c3c244c6d61a663d33552b5057b.exe 103 PID 3648 wrote to memory of 1192 3648 1a579c3c244c6d61a663d33552b5057b.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"2⤵PID:388
-
-
C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"C:\Users\Admin\AppData\Local\Temp\1a579c3c244c6d61a663d33552b5057b.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1a579c3c244c6d61a663d33552b5057b.exe.log
Filesize1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691