Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 15:16
Static task
static1
Behavioral task
behavioral1
Sample
288f13be34b5be823463fa5a166a7a0d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
288f13be34b5be823463fa5a166a7a0d.exe
Resource
win10v2004-20231215-en
General
-
Target
288f13be34b5be823463fa5a166a7a0d.exe
-
Size
1.0MB
-
MD5
288f13be34b5be823463fa5a166a7a0d
-
SHA1
d2b81269568ce7c96962204b6c99059ece8f4da6
-
SHA256
ef090c01a4c3fd0603727756890dfb26b722def5a5f2ca833ba7658cb2e02807
-
SHA512
0d92c2bd1ee4eee3237eb11a18e54012d3e7d3b8bdf12fda9faf90a22235061c0bdc41389f2724c058b6397225e9e0a9a4d73692f33bd77f89a62a70e7db0dee
-
SSDEEP
24576:L7WIGE9yweRQVLG7xhfR/1CQYxWONV53CXB31dfbqpt/R:f1IMhQ5/baWsGfbqppR
Malware Config
Extracted
redline
albrmagair.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/2692-24-0x0000000000B80000-0x0000000000B9E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/2692-24-0x0000000000B80000-0x0000000000B9E000-memory.dmp family_sectoprat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 288f13be34b5be823463fa5a166a7a0d.exe -
Executes dropped EXE 3 IoCs
pid Process 1756 Pensato.exe.com 1700 Pensato.exe.com 2692 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1700 set thread context of 2692 1700 Pensato.exe.com 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3928 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2692 RegAsm.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1236 wrote to memory of 688 1236 288f13be34b5be823463fa5a166a7a0d.exe 29 PID 1236 wrote to memory of 688 1236 288f13be34b5be823463fa5a166a7a0d.exe 29 PID 1236 wrote to memory of 688 1236 288f13be34b5be823463fa5a166a7a0d.exe 29 PID 688 wrote to memory of 4656 688 cmd.exe 28 PID 688 wrote to memory of 4656 688 cmd.exe 28 PID 688 wrote to memory of 4656 688 cmd.exe 28 PID 4656 wrote to memory of 676 4656 cmd.exe 27 PID 4656 wrote to memory of 676 4656 cmd.exe 27 PID 4656 wrote to memory of 676 4656 cmd.exe 27 PID 4656 wrote to memory of 1756 4656 cmd.exe 26 PID 4656 wrote to memory of 1756 4656 cmd.exe 26 PID 4656 wrote to memory of 1756 4656 cmd.exe 26 PID 4656 wrote to memory of 3928 4656 cmd.exe 24 PID 4656 wrote to memory of 3928 4656 cmd.exe 24 PID 4656 wrote to memory of 3928 4656 cmd.exe 24 PID 1756 wrote to memory of 1700 1756 Pensato.exe.com 25 PID 1756 wrote to memory of 1700 1756 Pensato.exe.com 25 PID 1756 wrote to memory of 1700 1756 Pensato.exe.com 25 PID 1700 wrote to memory of 2692 1700 Pensato.exe.com 98 PID 1700 wrote to memory of 2692 1700 Pensato.exe.com 98 PID 1700 wrote to memory of 2692 1700 Pensato.exe.com 98 PID 1700 wrote to memory of 2692 1700 Pensato.exe.com 98 PID 1700 wrote to memory of 2692 1700 Pensato.exe.com 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\288f13be34b5be823463fa5a166a7a0d.exe"C:\Users\Admin\AppData\Local\Temp\288f13be34b5be823463fa5a166a7a0d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Ama.sldx2⤵
- Suspicious use of WriteProcessMemory
PID:688
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 301⤵
- Runs ping.exe
PID:3928
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensato.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensato.exe.com L1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensato.exe.comPensato.exe.com L1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^WyumGSfHLEZtFxRtGySXzLBeKZKbrUOBWpbUBSAhtrnDZbeXuyKTlLllEtPHoSEQQnicWWDNEFSfhYejXNdYlVskZjdbrTyjmHMBdGqpCWgESVWGwCJxBGGU$" Siate.sldx1⤵PID:676
-
C:\Windows\SysWOW64\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
PID:4656