Analysis
-
max time kernel
168s -
max time network
187s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 00:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1c451ae9e13fcc4fd348dcaa1ebe165e.exe
Resource
win7-20231215-en
7 signatures
150 seconds
General
-
Target
1c451ae9e13fcc4fd348dcaa1ebe165e.exe
-
Size
371KB
-
MD5
1c451ae9e13fcc4fd348dcaa1ebe165e
-
SHA1
dbc4d70b5be8e9f9fd901ba427cdf6f486fb8012
-
SHA256
a72ae0e8a91c3721968dac08ec5052c28d685042feaee1883fa64f8cf9a618db
-
SHA512
ee48163468ba1f1a348d56a619d106a5313f897e5ff1386ea7a0ae000a225b812e8b971f10abb938f9f9101a55aa6e49a56da4035651597c3b4ec066842f0c96
-
SSDEEP
6144:6fM4Ry8JO4+U6aDJEcK9cLLsfYT97+hI3OY637CaokjI:kM4ECO4+U6aDJEcK9cLLsfYT97+hI3OM
Malware Config
Extracted
Family
redline
Botnet
EU_BOT_1
C2
185.234.247.136:47666
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2936-13-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2936-11-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2936-9-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2936-6-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2936-5-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
resource yara_rule behavioral1/memory/2936-13-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2936-11-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2936-9-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2936-6-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2936-5-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2704 set thread context of 2936 2704 1c451ae9e13fcc4fd348dcaa1ebe165e.exe 31 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2936 1c451ae9e13fcc4fd348dcaa1ebe165e.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2660 2704 1c451ae9e13fcc4fd348dcaa1ebe165e.exe 30 PID 2704 wrote to memory of 2660 2704 1c451ae9e13fcc4fd348dcaa1ebe165e.exe 30 PID 2704 wrote to memory of 2660 2704 1c451ae9e13fcc4fd348dcaa1ebe165e.exe 30 PID 2704 wrote to memory of 2660 2704 1c451ae9e13fcc4fd348dcaa1ebe165e.exe 30 PID 2704 wrote to memory of 2936 2704 1c451ae9e13fcc4fd348dcaa1ebe165e.exe 31 PID 2704 wrote to memory of 2936 2704 1c451ae9e13fcc4fd348dcaa1ebe165e.exe 31 PID 2704 wrote to memory of 2936 2704 1c451ae9e13fcc4fd348dcaa1ebe165e.exe 31 PID 2704 wrote to memory of 2936 2704 1c451ae9e13fcc4fd348dcaa1ebe165e.exe 31 PID 2704 wrote to memory of 2936 2704 1c451ae9e13fcc4fd348dcaa1ebe165e.exe 31 PID 2704 wrote to memory of 2936 2704 1c451ae9e13fcc4fd348dcaa1ebe165e.exe 31 PID 2704 wrote to memory of 2936 2704 1c451ae9e13fcc4fd348dcaa1ebe165e.exe 31 PID 2704 wrote to memory of 2936 2704 1c451ae9e13fcc4fd348dcaa1ebe165e.exe 31 PID 2704 wrote to memory of 2936 2704 1c451ae9e13fcc4fd348dcaa1ebe165e.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c451ae9e13fcc4fd348dcaa1ebe165e.exe"C:\Users\Admin\AppData\Local\Temp\1c451ae9e13fcc4fd348dcaa1ebe165e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\1c451ae9e13fcc4fd348dcaa1ebe165e.exeC:\Users\Admin\AppData\Local\Temp\1c451ae9e13fcc4fd348dcaa1ebe165e.exe2⤵PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\1c451ae9e13fcc4fd348dcaa1ebe165e.exeC:\Users\Admin\AppData\Local\Temp\1c451ae9e13fcc4fd348dcaa1ebe165e.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2936
-