Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 15:16
Static task
static1
Behavioral task
behavioral1
Sample
288f13be34b5be823463fa5a166a7a0d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
288f13be34b5be823463fa5a166a7a0d.exe
Resource
win10v2004-20231215-en
General
-
Target
288f13be34b5be823463fa5a166a7a0d.exe
-
Size
1.0MB
-
MD5
288f13be34b5be823463fa5a166a7a0d
-
SHA1
d2b81269568ce7c96962204b6c99059ece8f4da6
-
SHA256
ef090c01a4c3fd0603727756890dfb26b722def5a5f2ca833ba7658cb2e02807
-
SHA512
0d92c2bd1ee4eee3237eb11a18e54012d3e7d3b8bdf12fda9faf90a22235061c0bdc41389f2724c058b6397225e9e0a9a4d73692f33bd77f89a62a70e7db0dee
-
SSDEEP
24576:L7WIGE9yweRQVLG7xhfR/1CQYxWONV53CXB31dfbqpt/R:f1IMhQ5/baWsGfbqppR
Malware Config
Extracted
redline
albrmagair.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/2100-38-0x0000000000090000-0x00000000000AE000-memory.dmp family_redline behavioral1/memory/2100-36-0x0000000000090000-0x00000000000AE000-memory.dmp family_redline behavioral1/memory/2100-32-0x0000000000090000-0x00000000000AE000-memory.dmp family_redline -
SectopRAT payload 3 IoCs
resource yara_rule behavioral1/memory/2100-38-0x0000000000090000-0x00000000000AE000-memory.dmp family_sectoprat behavioral1/memory/2100-36-0x0000000000090000-0x00000000000AE000-memory.dmp family_sectoprat behavioral1/memory/2100-32-0x0000000000090000-0x00000000000AE000-memory.dmp family_sectoprat -
Executes dropped EXE 3 IoCs
pid Process 2708 Pensato.exe.com 2980 Pensato.exe.com 2100 RegAsm.exe -
Loads dropped DLL 4 IoCs
pid Process 2692 cmd.exe 2708 Pensato.exe.com 2980 Pensato.exe.com 2100 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2980 set thread context of 2100 2980 Pensato.exe.com 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2812 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2100 RegAsm.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1300 wrote to memory of 2872 1300 288f13be34b5be823463fa5a166a7a0d.exe 25 PID 1300 wrote to memory of 2872 1300 288f13be34b5be823463fa5a166a7a0d.exe 25 PID 1300 wrote to memory of 2872 1300 288f13be34b5be823463fa5a166a7a0d.exe 25 PID 1300 wrote to memory of 2872 1300 288f13be34b5be823463fa5a166a7a0d.exe 25 PID 2872 wrote to memory of 2692 2872 cmd.exe 23 PID 2872 wrote to memory of 2692 2872 cmd.exe 23 PID 2872 wrote to memory of 2692 2872 cmd.exe 23 PID 2872 wrote to memory of 2692 2872 cmd.exe 23 PID 2692 wrote to memory of 2404 2692 cmd.exe 22 PID 2692 wrote to memory of 2404 2692 cmd.exe 22 PID 2692 wrote to memory of 2404 2692 cmd.exe 22 PID 2692 wrote to memory of 2404 2692 cmd.exe 22 PID 2692 wrote to memory of 2708 2692 cmd.exe 21 PID 2692 wrote to memory of 2708 2692 cmd.exe 21 PID 2692 wrote to memory of 2708 2692 cmd.exe 21 PID 2692 wrote to memory of 2708 2692 cmd.exe 21 PID 2692 wrote to memory of 2812 2692 cmd.exe 19 PID 2692 wrote to memory of 2812 2692 cmd.exe 19 PID 2692 wrote to memory of 2812 2692 cmd.exe 19 PID 2692 wrote to memory of 2812 2692 cmd.exe 19 PID 2708 wrote to memory of 2980 2708 Pensato.exe.com 20 PID 2708 wrote to memory of 2980 2708 Pensato.exe.com 20 PID 2708 wrote to memory of 2980 2708 Pensato.exe.com 20 PID 2708 wrote to memory of 2980 2708 Pensato.exe.com 20 PID 2980 wrote to memory of 2100 2980 Pensato.exe.com 35 PID 2980 wrote to memory of 2100 2980 Pensato.exe.com 35 PID 2980 wrote to memory of 2100 2980 Pensato.exe.com 35 PID 2980 wrote to memory of 2100 2980 Pensato.exe.com 35 PID 2980 wrote to memory of 2100 2980 Pensato.exe.com 35 PID 2980 wrote to memory of 2100 2980 Pensato.exe.com 35 PID 2980 wrote to memory of 2100 2980 Pensato.exe.com 35 PID 2980 wrote to memory of 2100 2980 Pensato.exe.com 35 PID 2980 wrote to memory of 2100 2980 Pensato.exe.com 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\288f13be34b5be823463fa5a166a7a0d.exe"C:\Users\Admin\AppData\Local\Temp\288f13be34b5be823463fa5a166a7a0d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Ama.sldx2⤵
- Suspicious use of WriteProcessMemory
PID:2872
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 301⤵
- Runs ping.exe
PID:2812
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensato.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensato.exe.com L1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensato.exe.comPensato.exe.com L1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^WyumGSfHLEZtFxRtGySXzLBeKZKbrUOBWpbUBSAhtrnDZbeXuyKTlLllEtPHoSEQQnicWWDNEFSfhYejXNdYlVskZjdbrTyjmHMBdGqpCWgESVWGwCJxBGGU$" Siate.sldx1⤵PID:2404
-
C:\Windows\SysWOW64\cmd.execmd1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
458B
MD513e069cccb1c0305fd64f6cad5c61bd9
SHA157efaead832962b153d5f471060728087972ae47
SHA256c92c77226f34a78d8fcd49f0768cf1f1293926b4a97ad52c57a2c34f226a0d98
SHA5126996cadb73c12d38a5ffcfc921f46c1bc7f292a79bd8387c4f433726e938de85f4c6211d96e9680457a8ab681d3b50766b913f572673e1c665b6724b6d0804c1
-
Filesize
381KB
MD542e5339def829a576b897cb4ac5f4657
SHA1c5a440e8bbf07cea55690e78aea0be29ec6246a5
SHA256d30dd36dcffff6346047f53259f20bd5ded0e291f3edbe4557bd4f78826c70e5
SHA512e34595254891fdb17618a9d9c1210853953d1a79994ef61f8daded0425005fe9ec852b4ef9e3ffe3ec42141c102c715f0154dca2d1cf9f1f482a99ae44c3419f
-
Filesize
92KB
MD578b0bf4cb430e6a571386020fe2a1f44
SHA17a92623bee0b4c302ecb7ab10d703805574a8b97
SHA2566a613b5f0943e3e5fea1cc9f28269c15eae9eafc48d9d3136da58485eb719eb7
SHA512dfa3d8c9b55fe1eb47ecbf9772bd8c96493cbc4e14d1bfd3423711b52a6bf1c69a356063e144e79d69dd26bf4e5859746158223e15fb2a952a358d0ee328374b
-
Filesize
386KB
MD5e5131180eb5aa36d7f612b046bc84768
SHA19a80fdcbe555faffad0a51256f4a62f2ae3f9b92
SHA25619d1519ad8c7f70f43fe97db46c0e9fba09bbce2c8ea7cdaaadcaf62dad83846
SHA5126f2d6eb1aebf5dc282e7ed76237c450cec3ec484b7523931e0b79303356a01f037bc059273ec4ca883b1ca43723da05c545cdf0454d7875380776f793856b83d
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab