Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 12:40
Static task
static1
Behavioral task
behavioral1
Sample
1f1e8ec42168ab9b166714b8d78d1bf9.exe
Resource
win7-20231215-en
General
-
Target
1f1e8ec42168ab9b166714b8d78d1bf9.exe
-
Size
382KB
-
MD5
1f1e8ec42168ab9b166714b8d78d1bf9
-
SHA1
dca4a68c8835b2d943fda651684bc7084e9e8889
-
SHA256
a563f1fae3c7c4097a686978866f01a4af153ed082260ebd87ccb19416036e39
-
SHA512
e9e703923259fd5c29133de787e7abed8b13107351b57ad429158fbbf0bee363822e042395a58590d6d57aef6acf3ce8f4ff0e866fbbb78ac357b2bdaaec710f
-
SSDEEP
6144:+JeDoPZM5LnzbK9jTiUs1EeG4+LccIhpw2yVWez/n1y5etYhpQ6edFofVnPUNI:0csYDqjnwvQ6eGV
Malware Config
Extracted
redline
@tsiw13
185.80.234.77:17105
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/2968-12-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/2968-12-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4408 set thread context of 2968 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 106 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe Token: SeDebugPrivilege 2968 1f1e8ec42168ab9b166714b8d78d1bf9.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4408 wrote to memory of 4120 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 102 PID 4408 wrote to memory of 4120 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 102 PID 4408 wrote to memory of 4120 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 102 PID 4408 wrote to memory of 4840 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 103 PID 4408 wrote to memory of 4840 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 103 PID 4408 wrote to memory of 4840 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 103 PID 4408 wrote to memory of 1036 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 104 PID 4408 wrote to memory of 1036 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 104 PID 4408 wrote to memory of 1036 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 104 PID 4408 wrote to memory of 1424 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 105 PID 4408 wrote to memory of 1424 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 105 PID 4408 wrote to memory of 1424 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 105 PID 4408 wrote to memory of 2968 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 106 PID 4408 wrote to memory of 2968 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 106 PID 4408 wrote to memory of 2968 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 106 PID 4408 wrote to memory of 2968 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 106 PID 4408 wrote to memory of 2968 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 106 PID 4408 wrote to memory of 2968 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 106 PID 4408 wrote to memory of 2968 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 106 PID 4408 wrote to memory of 2968 4408 1f1e8ec42168ab9b166714b8d78d1bf9.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f1e8ec42168ab9b166714b8d78d1bf9.exe"C:\Users\Admin\AppData\Local\Temp\1f1e8ec42168ab9b166714b8d78d1bf9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\1f1e8ec42168ab9b166714b8d78d1bf9.exe"{path}"2⤵PID:4120
-
-
C:\Users\Admin\AppData\Local\Temp\1f1e8ec42168ab9b166714b8d78d1bf9.exe"{path}"2⤵PID:4840
-
-
C:\Users\Admin\AppData\Local\Temp\1f1e8ec42168ab9b166714b8d78d1bf9.exe"{path}"2⤵PID:1036
-
-
C:\Users\Admin\AppData\Local\Temp\1f1e8ec42168ab9b166714b8d78d1bf9.exe"{path}"2⤵PID:1424
-
-
C:\Users\Admin\AppData\Local\Temp\1f1e8ec42168ab9b166714b8d78d1bf9.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1f1e8ec42168ab9b166714b8d78d1bf9.exe.log
Filesize1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3