Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28/12/2023, 04:51
Static task
static1
Behavioral task
behavioral1
Sample
c4e7de71e86affcece70059ccbf8cff7.exe
Resource
win7-20231215-en
General
-
Target
c4e7de71e86affcece70059ccbf8cff7.exe
-
Size
473KB
-
MD5
c4e7de71e86affcece70059ccbf8cff7
-
SHA1
ea6cea75b55026c665ced20326ba0e777e6efd07
-
SHA256
f6d0fcc214adc2d411aaf7142e0d05ca532eedf6ac4fb70d60753718c55e24e5
-
SHA512
fac9ac9f8bc8d3a14eb677b47dcb570ba338de02283317bd4fdaf0b24ed923c79aa6ad9f4dbe3f1562fb4f3a67c49fdef8134dc04115f88f8afdc7557200739b
-
SSDEEP
12288:eNpszYhvXWSVJdMaeaxxJGJ0k8rbYfyprRYKJdnxb:ihvJVJdMQeuk6Ygdx
Malware Config
Extracted
redline
@burduc
45.81.227.32:22625
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2716-29-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2716-31-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2716-34-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2716-26-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2716-25-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 6 IoCs
resource yara_rule behavioral1/memory/2716-29-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2716-31-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2716-34-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2716-26-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2716-25-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2716-36-0x0000000004B10000-0x0000000004B50000-memory.dmp family_sectoprat -
Executes dropped EXE 1 IoCs
pid Process 1892 JaNBM.exe -
Loads dropped DLL 4 IoCs
pid Process 1964 c4e7de71e86affcece70059ccbf8cff7.exe 1964 c4e7de71e86affcece70059ccbf8cff7.exe 1964 c4e7de71e86affcece70059ccbf8cff7.exe 1964 c4e7de71e86affcece70059ccbf8cff7.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1892 set thread context of 2716 1892 JaNBM.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2716 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1964 wrote to memory of 1892 1964 c4e7de71e86affcece70059ccbf8cff7.exe 28 PID 1964 wrote to memory of 1892 1964 c4e7de71e86affcece70059ccbf8cff7.exe 28 PID 1964 wrote to memory of 1892 1964 c4e7de71e86affcece70059ccbf8cff7.exe 28 PID 1964 wrote to memory of 1892 1964 c4e7de71e86affcece70059ccbf8cff7.exe 28 PID 1892 wrote to memory of 2716 1892 JaNBM.exe 29 PID 1892 wrote to memory of 2716 1892 JaNBM.exe 29 PID 1892 wrote to memory of 2716 1892 JaNBM.exe 29 PID 1892 wrote to memory of 2716 1892 JaNBM.exe 29 PID 1892 wrote to memory of 2716 1892 JaNBM.exe 29 PID 1892 wrote to memory of 2716 1892 JaNBM.exe 29 PID 1892 wrote to memory of 2716 1892 JaNBM.exe 29 PID 1892 wrote to memory of 2716 1892 JaNBM.exe 29 PID 1892 wrote to memory of 2716 1892 JaNBM.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4e7de71e86affcece70059ccbf8cff7.exe"C:\Users\Admin\AppData\Local\Temp\c4e7de71e86affcece70059ccbf8cff7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Roaming\JaNBM.exe"C:\Users\Admin\AppData\Roaming\JaNBM.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201KB
MD54f9729fc5afca11b32fa7a3cb47fe5b3
SHA126bf2656ec4be0d077958342aa3efe6b50bcc02c
SHA2565608760b7ffaf577f8ab79f59629789489cdc97d3cbc302669a1523eff699ef6
SHA512dd958913997171661ba36f2ad97a44b1959e929b234b9c056b7d66be4404ef407e3c971160ad346c8979245d3785d43896bda46291bcdd038615f58db6896130