Analysis
-
max time kernel
159s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2023, 04:51
Static task
static1
Behavioral task
behavioral1
Sample
c4e7de71e86affcece70059ccbf8cff7.exe
Resource
win7-20231215-en
General
-
Target
c4e7de71e86affcece70059ccbf8cff7.exe
-
Size
473KB
-
MD5
c4e7de71e86affcece70059ccbf8cff7
-
SHA1
ea6cea75b55026c665ced20326ba0e777e6efd07
-
SHA256
f6d0fcc214adc2d411aaf7142e0d05ca532eedf6ac4fb70d60753718c55e24e5
-
SHA512
fac9ac9f8bc8d3a14eb677b47dcb570ba338de02283317bd4fdaf0b24ed923c79aa6ad9f4dbe3f1562fb4f3a67c49fdef8134dc04115f88f8afdc7557200739b
-
SSDEEP
12288:eNpszYhvXWSVJdMaeaxxJGJ0k8rbYfyprRYKJdnxb:ihvJVJdMQeuk6Ygdx
Malware Config
Extracted
redline
@burduc
45.81.227.32:22625
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/380-20-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/380-20-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation c4e7de71e86affcece70059ccbf8cff7.exe -
Executes dropped EXE 1 IoCs
pid Process 4340 JaNBM.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4340 set thread context of 380 4340 JaNBM.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 380 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1172 wrote to memory of 4340 1172 c4e7de71e86affcece70059ccbf8cff7.exe 96 PID 1172 wrote to memory of 4340 1172 c4e7de71e86affcece70059ccbf8cff7.exe 96 PID 1172 wrote to memory of 4340 1172 c4e7de71e86affcece70059ccbf8cff7.exe 96 PID 4340 wrote to memory of 380 4340 JaNBM.exe 99 PID 4340 wrote to memory of 380 4340 JaNBM.exe 99 PID 4340 wrote to memory of 380 4340 JaNBM.exe 99 PID 4340 wrote to memory of 380 4340 JaNBM.exe 99 PID 4340 wrote to memory of 380 4340 JaNBM.exe 99 PID 4340 wrote to memory of 380 4340 JaNBM.exe 99 PID 4340 wrote to memory of 380 4340 JaNBM.exe 99 PID 4340 wrote to memory of 380 4340 JaNBM.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4e7de71e86affcece70059ccbf8cff7.exe"C:\Users\Admin\AppData\Local\Temp\c4e7de71e86affcece70059ccbf8cff7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Roaming\JaNBM.exe"C:\Users\Admin\AppData\Roaming\JaNBM.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201KB
MD54f9729fc5afca11b32fa7a3cb47fe5b3
SHA126bf2656ec4be0d077958342aa3efe6b50bcc02c
SHA2565608760b7ffaf577f8ab79f59629789489cdc97d3cbc302669a1523eff699ef6
SHA512dd958913997171661ba36f2ad97a44b1959e929b234b9c056b7d66be4404ef407e3c971160ad346c8979245d3785d43896bda46291bcdd038615f58db6896130