Analysis
-
max time kernel
134s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 12:24
Static task
static1
Behavioral task
behavioral1
Sample
1e207d7a6df676f188ca75585040a336.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1e207d7a6df676f188ca75585040a336.exe
Resource
win10v2004-20231215-en
General
-
Target
1e207d7a6df676f188ca75585040a336.exe
-
Size
5.7MB
-
MD5
1e207d7a6df676f188ca75585040a336
-
SHA1
8e36a7cd4adfe11ece2637fec19fcf2248621628
-
SHA256
285748362e691ed5d45ae01863d63a848b2b88e2e750c7d667cc27b09684f8ee
-
SHA512
8f33754e7a2fec5ded4df89abf46ebee64f2450aa9f3230a4363f3c4db3ca23675f712edea4a8f7c49f313689e65c251fe3416debe0270c059a6c2b72d8d7916
-
SSDEEP
98304:bxyCwbY367tftU0xdCeDGvnekExJqyIoWR88IfRXdXV1FXG8:9ynLt3kHnnExgyqRIZXrXG8
Malware Config
Extracted
redline
adsgoogle2
45.93.4.12:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2972-8-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2972-7-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2972-15-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2972-13-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2972-11-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
resource yara_rule behavioral1/memory/2972-8-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2972-7-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2972-15-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2972-13-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2972-11-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2852 set thread context of 2972 2852 1e207d7a6df676f188ca75585040a336.exe 29 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2972 1e207d7a6df676f188ca75585040a336.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2972 2852 1e207d7a6df676f188ca75585040a336.exe 29 PID 2852 wrote to memory of 2972 2852 1e207d7a6df676f188ca75585040a336.exe 29 PID 2852 wrote to memory of 2972 2852 1e207d7a6df676f188ca75585040a336.exe 29 PID 2852 wrote to memory of 2972 2852 1e207d7a6df676f188ca75585040a336.exe 29 PID 2852 wrote to memory of 2972 2852 1e207d7a6df676f188ca75585040a336.exe 29 PID 2852 wrote to memory of 2972 2852 1e207d7a6df676f188ca75585040a336.exe 29 PID 2852 wrote to memory of 2972 2852 1e207d7a6df676f188ca75585040a336.exe 29 PID 2852 wrote to memory of 2972 2852 1e207d7a6df676f188ca75585040a336.exe 29 PID 2852 wrote to memory of 2972 2852 1e207d7a6df676f188ca75585040a336.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e207d7a6df676f188ca75585040a336.exe"C:\Users\Admin\AppData\Local\Temp\1e207d7a6df676f188ca75585040a336.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\1e207d7a6df676f188ca75585040a336.exeC:\Users\Admin\AppData\Local\Temp\1e207d7a6df676f188ca75585040a336.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972
-