Analysis
-
max time kernel
183s -
max time network
217s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 12:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1f1e8ec42168ab9b166714b8d78d1bf9.exe
Resource
win7-20231215-en
7 signatures
150 seconds
General
-
Target
1f1e8ec42168ab9b166714b8d78d1bf9.exe
-
Size
382KB
-
MD5
1f1e8ec42168ab9b166714b8d78d1bf9
-
SHA1
dca4a68c8835b2d943fda651684bc7084e9e8889
-
SHA256
a563f1fae3c7c4097a686978866f01a4af153ed082260ebd87ccb19416036e39
-
SHA512
e9e703923259fd5c29133de787e7abed8b13107351b57ad429158fbbf0bee363822e042395a58590d6d57aef6acf3ce8f4ff0e866fbbb78ac357b2bdaaec710f
-
SSDEEP
6144:+JeDoPZM5LnzbK9jTiUs1EeG4+LccIhpw2yVWez/n1y5etYhpQ6edFofVnPUNI:0csYDqjnwvQ6eGV
Malware Config
Extracted
Family
redline
Botnet
@tsiw13
C2
185.80.234.77:17105
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1752-12-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1752-14-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1752-18-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1752-22-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1752-20-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 7 IoCs
resource yara_rule behavioral1/memory/1752-12-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1752-14-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1752-18-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1752-22-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1752-20-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1752-25-0x00000000007D0000-0x0000000000810000-memory.dmp family_sectoprat behavioral1/memory/1752-27-0x00000000007D0000-0x0000000000810000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2724 set thread context of 1752 2724 1f1e8ec42168ab9b166714b8d78d1bf9.exe 29 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1752 1f1e8ec42168ab9b166714b8d78d1bf9.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2724 wrote to memory of 1752 2724 1f1e8ec42168ab9b166714b8d78d1bf9.exe 29 PID 2724 wrote to memory of 1752 2724 1f1e8ec42168ab9b166714b8d78d1bf9.exe 29 PID 2724 wrote to memory of 1752 2724 1f1e8ec42168ab9b166714b8d78d1bf9.exe 29 PID 2724 wrote to memory of 1752 2724 1f1e8ec42168ab9b166714b8d78d1bf9.exe 29 PID 2724 wrote to memory of 1752 2724 1f1e8ec42168ab9b166714b8d78d1bf9.exe 29 PID 2724 wrote to memory of 1752 2724 1f1e8ec42168ab9b166714b8d78d1bf9.exe 29 PID 2724 wrote to memory of 1752 2724 1f1e8ec42168ab9b166714b8d78d1bf9.exe 29 PID 2724 wrote to memory of 1752 2724 1f1e8ec42168ab9b166714b8d78d1bf9.exe 29 PID 2724 wrote to memory of 1752 2724 1f1e8ec42168ab9b166714b8d78d1bf9.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f1e8ec42168ab9b166714b8d78d1bf9.exe"C:\Users\Admin\AppData\Local\Temp\1f1e8ec42168ab9b166714b8d78d1bf9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\1f1e8ec42168ab9b166714b8d78d1bf9.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752
-