Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 16:06
Static task
static1
Behavioral task
behavioral1
Sample
2bc1f2a0dada4b055ffd21affaedd90c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2bc1f2a0dada4b055ffd21affaedd90c.exe
Resource
win10v2004-20231222-en
General
-
Target
2bc1f2a0dada4b055ffd21affaedd90c.exe
-
Size
376KB
-
MD5
2bc1f2a0dada4b055ffd21affaedd90c
-
SHA1
2065b033bfbf85e5de5cc933f8834c02220fe5a1
-
SHA256
1735440f3b7cbcb8ac567ba7fbeb0ad5465184b2663681f59b11d4a1650fadda
-
SHA512
516039b70ddb06f00f50aff3ad6a59a36d89a63831b336917d756da35a8bdaf297b7d5715115660e4e4ca5889cb82f58eff25d358e6608a51c6493a9bcfd7963
-
SSDEEP
6144:oM4Ry81AxEauvBEAs5cOPQqJT13OIK7Caok+enI:oM4EEAxEauvBEAs5cOPQqJT13OIK7CaU
Malware Config
Extracted
redline
@TyBaby_LZT
45.12.213.248:36372
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/3136-6-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/3136-6-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 436 set thread context of 3136 436 2bc1f2a0dada4b055ffd21affaedd90c.exe 93 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3136 2bc1f2a0dada4b055ffd21affaedd90c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 436 wrote to memory of 3136 436 2bc1f2a0dada4b055ffd21affaedd90c.exe 93 PID 436 wrote to memory of 3136 436 2bc1f2a0dada4b055ffd21affaedd90c.exe 93 PID 436 wrote to memory of 3136 436 2bc1f2a0dada4b055ffd21affaedd90c.exe 93 PID 436 wrote to memory of 3136 436 2bc1f2a0dada4b055ffd21affaedd90c.exe 93 PID 436 wrote to memory of 3136 436 2bc1f2a0dada4b055ffd21affaedd90c.exe 93 PID 436 wrote to memory of 3136 436 2bc1f2a0dada4b055ffd21affaedd90c.exe 93 PID 436 wrote to memory of 3136 436 2bc1f2a0dada4b055ffd21affaedd90c.exe 93 PID 436 wrote to memory of 3136 436 2bc1f2a0dada4b055ffd21affaedd90c.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bc1f2a0dada4b055ffd21affaedd90c.exe"C:\Users\Admin\AppData\Local\Temp\2bc1f2a0dada4b055ffd21affaedd90c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Local\Temp\2bc1f2a0dada4b055ffd21affaedd90c.exeC:\Users\Admin\AppData\Local\Temp\2bc1f2a0dada4b055ffd21affaedd90c.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3136
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2bc1f2a0dada4b055ffd21affaedd90c.exe.log
Filesize700B
MD5e5352797047ad2c91b83e933b24fbc4f
SHA19bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827