redline | 0ee76a38739c46c034b853dd31645d5b31a6bc81e4b6370e4832338c6ebe8310

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3b0bd9e7c47bf11bfd7f0212e2e6403.exe
Size

396KB
MD5

c3b0bd9e7c47bf11bfd7f0212e2e6403
SHA1

f72d2b2170f1fec4c9791a19f4196d68146422d8
SHA256

0ee76a38739c46c034b853dd31645d5b31a6bc81e4b6370e4832338c6ebe8310
SHA512

36db8e885342955b57c942e42a7b683e4925a7283cf6465d351502995718b2ff9017d204d63925fee4b4c18225a381affaea354734ccf4680528fa176f161cb5
SSDEEP

6144:wyFyj8tJ6okU7nqmWkGxGifNkPADID09R1+R+aMSr5R7aePCYEuGJmfctZXAEZ0d:hw8t03U7nqtxpDVR1WnMWee4XXXG

Score

10^/10

redline sectoprat pub infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

PUB

185.215.113.45:41009

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5024-10-0x00000000025F0000-0x000000000260E000-memory.dmp	family_redline
behavioral2/memory/5024-4-0x0000000002400000-0x0000000002420000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5024-10-0x00000000025F0000-0x000000000260E000-memory.dmp	family_sectoprat
behavioral2/memory/5024-14-0x00000000025E0000-0x00000000025F0000-memory.dmp	family_sectoprat
behavioral2/memory/5024-4-0x0000000002400000-0x0000000002420000-memory.dmp	family_sectoprat

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c3b0bd9e7c47bf11bfd7f0212e2e6403.exe

description pid process

Token: SeDebugPrivilege 5024 c3b0bd9e7c47bf11bfd7f0212e2e6403.exe

description	pid	process
Token: SeDebugPrivilege	5024	c3b0bd9e7c47bf11bfd7f0212e2e6403.exe

C:\Users\Admin\AppData\Local\Temp\c3b0bd9e7c47bf11bfd7f0212e2e6403.exe
"C:\Users\Admin\AppData\Local\Temp\c3b0bd9e7c47bf11bfd7f0212e2e6403.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5024-1-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/5024-3-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5024-2-0x00000000005E0000-0x000000000060F000-memory.dmp

Filesize
188KB

Download
memory/5024-6-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/5024-9-0x0000000004C10000-0x00000000051B4000-memory.dmp

Filesize
5.6MB

Download
memory/5024-10-0x00000000025F0000-0x000000000260E000-memory.dmp

Filesize
120KB

Download
memory/5024-11-0x00000000051C0000-0x00000000057D8000-memory.dmp

Filesize
6.1MB

Download
memory/5024-8-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/5024-13-0x0000000005810000-0x000000000584C000-memory.dmp

Filesize
240KB

Download
memory/5024-12-0x00000000057F0000-0x0000000005802000-memory.dmp

Filesize
72KB

Download
memory/5024-7-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/5024-5-0x0000000074320000-0x0000000074AD0000-memory.dmp

Filesize
7.7MB

Download
memory/5024-15-0x0000000005870000-0x00000000058BC000-memory.dmp

Filesize
304KB

Download
memory/5024-14-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/5024-4-0x0000000002400000-0x0000000002420000-memory.dmp

Filesize
128KB

Download
memory/5024-16-0x0000000005A00000-0x0000000005B0A000-memory.dmp

Filesize
1.0MB

Download
memory/5024-17-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5024-19-0x00000000005E0000-0x000000000060F000-memory.dmp

Filesize
188KB

Download
memory/5024-18-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/5024-20-0x0000000074320000-0x0000000074AD0000-memory.dmp

Filesize
7.7MB

Download
memory/5024-22-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/5024-23-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/5024-24-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download