Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 16:06
Static task
static1
Behavioral task
behavioral1
Sample
2bc1f2a0dada4b055ffd21affaedd90c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2bc1f2a0dada4b055ffd21affaedd90c.exe
Resource
win10v2004-20231222-en
General
-
Target
2bc1f2a0dada4b055ffd21affaedd90c.exe
-
Size
376KB
-
MD5
2bc1f2a0dada4b055ffd21affaedd90c
-
SHA1
2065b033bfbf85e5de5cc933f8834c02220fe5a1
-
SHA256
1735440f3b7cbcb8ac567ba7fbeb0ad5465184b2663681f59b11d4a1650fadda
-
SHA512
516039b70ddb06f00f50aff3ad6a59a36d89a63831b336917d756da35a8bdaf297b7d5715115660e4e4ca5889cb82f58eff25d358e6608a51c6493a9bcfd7963
-
SSDEEP
6144:oM4Ry81AxEauvBEAs5cOPQqJT13OIK7Caok+enI:oM4EEAxEauvBEAs5cOPQqJT13OIK7CaU
Malware Config
Extracted
redline
@TyBaby_LZT
45.12.213.248:36372
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1916-7-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1916-9-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1916-13-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1916-15-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1916-17-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
resource yara_rule behavioral1/memory/1916-7-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1916-9-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1916-13-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1916-15-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1916-17-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1132 set thread context of 1916 1132 2bc1f2a0dada4b055ffd21affaedd90c.exe 29 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1916 2bc1f2a0dada4b055ffd21affaedd90c.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1132 wrote to memory of 1916 1132 2bc1f2a0dada4b055ffd21affaedd90c.exe 29 PID 1132 wrote to memory of 1916 1132 2bc1f2a0dada4b055ffd21affaedd90c.exe 29 PID 1132 wrote to memory of 1916 1132 2bc1f2a0dada4b055ffd21affaedd90c.exe 29 PID 1132 wrote to memory of 1916 1132 2bc1f2a0dada4b055ffd21affaedd90c.exe 29 PID 1132 wrote to memory of 1916 1132 2bc1f2a0dada4b055ffd21affaedd90c.exe 29 PID 1132 wrote to memory of 1916 1132 2bc1f2a0dada4b055ffd21affaedd90c.exe 29 PID 1132 wrote to memory of 1916 1132 2bc1f2a0dada4b055ffd21affaedd90c.exe 29 PID 1132 wrote to memory of 1916 1132 2bc1f2a0dada4b055ffd21affaedd90c.exe 29 PID 1132 wrote to memory of 1916 1132 2bc1f2a0dada4b055ffd21affaedd90c.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bc1f2a0dada4b055ffd21affaedd90c.exe"C:\Users\Admin\AppData\Local\Temp\2bc1f2a0dada4b055ffd21affaedd90c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\2bc1f2a0dada4b055ffd21affaedd90c.exeC:\Users\Admin\AppData\Local\Temp\2bc1f2a0dada4b055ffd21affaedd90c.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916
-