Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 19:29
Static task
static1
Behavioral task
behavioral1
Sample
01bf86b5caf867e70f0c6fb148125a5a.exe
Resource
win7-20231129-en
General
-
Target
01bf86b5caf867e70f0c6fb148125a5a.exe
-
Size
1.1MB
-
MD5
01bf86b5caf867e70f0c6fb148125a5a
-
SHA1
3cded8fd741f886845f9f3093b6651203daa0522
-
SHA256
bcb380255f3dad767bbf18e7268dafcfbb70bb1934736eb172488b445975ba83
-
SHA512
7138741b13cc8eeaf46bfa8dde9f483439a3def3862aa47aafb590b47eb5b2fd14786f7edcc66ae2d154219427c22f3d4966a31418135f2c4819ecd48ee818ab
-
SSDEEP
24576:b/YMs9GEi5T5VFagmiuly8jjRUQoMmJB:b/mi9foguYQoMQ
Malware Config
Extracted
redline
test1
xoyuluilsh.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1584-13-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1584-15-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1584-19-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1584-21-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1584-24-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1584-26-0x0000000004F10000-0x0000000004F50000-memory.dmp family_redline -
SectopRAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1584-13-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1584-15-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1584-19-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1584-21-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1584-24-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1584-26-0x0000000004F10000-0x0000000004F50000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
01bf86b5caf867e70f0c6fb148125a5a.exedescription pid process target process PID 3036 set thread context of 1584 3036 01bf86b5caf867e70f0c6fb148125a5a.exe 01bf86b5caf867e70f0c6fb148125a5a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
01bf86b5caf867e70f0c6fb148125a5a.exedescription pid process Token: SeDebugPrivilege 1584 01bf86b5caf867e70f0c6fb148125a5a.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
01bf86b5caf867e70f0c6fb148125a5a.exedescription pid process target process PID 3036 wrote to memory of 1584 3036 01bf86b5caf867e70f0c6fb148125a5a.exe 01bf86b5caf867e70f0c6fb148125a5a.exe PID 3036 wrote to memory of 1584 3036 01bf86b5caf867e70f0c6fb148125a5a.exe 01bf86b5caf867e70f0c6fb148125a5a.exe PID 3036 wrote to memory of 1584 3036 01bf86b5caf867e70f0c6fb148125a5a.exe 01bf86b5caf867e70f0c6fb148125a5a.exe PID 3036 wrote to memory of 1584 3036 01bf86b5caf867e70f0c6fb148125a5a.exe 01bf86b5caf867e70f0c6fb148125a5a.exe PID 3036 wrote to memory of 1584 3036 01bf86b5caf867e70f0c6fb148125a5a.exe 01bf86b5caf867e70f0c6fb148125a5a.exe PID 3036 wrote to memory of 1584 3036 01bf86b5caf867e70f0c6fb148125a5a.exe 01bf86b5caf867e70f0c6fb148125a5a.exe PID 3036 wrote to memory of 1584 3036 01bf86b5caf867e70f0c6fb148125a5a.exe 01bf86b5caf867e70f0c6fb148125a5a.exe PID 3036 wrote to memory of 1584 3036 01bf86b5caf867e70f0c6fb148125a5a.exe 01bf86b5caf867e70f0c6fb148125a5a.exe PID 3036 wrote to memory of 1584 3036 01bf86b5caf867e70f0c6fb148125a5a.exe 01bf86b5caf867e70f0c6fb148125a5a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01bf86b5caf867e70f0c6fb148125a5a.exe"C:\Users\Admin\AppData\Local\Temp\01bf86b5caf867e70f0c6fb148125a5a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\01bf86b5caf867e70f0c6fb148125a5a.exe"C:\Users\Admin\AppData\Local\Temp\01bf86b5caf867e70f0c6fb148125a5a.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1584-21-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1584-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1584-13-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1584-11-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1584-27-0x00000000746D0000-0x0000000074DBE000-memory.dmpFilesize
6.9MB
-
memory/1584-26-0x0000000004F10000-0x0000000004F50000-memory.dmpFilesize
256KB
-
memory/1584-25-0x00000000746D0000-0x0000000074DBE000-memory.dmpFilesize
6.9MB
-
memory/1584-24-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1584-15-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1584-9-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1584-28-0x0000000004F10000-0x0000000004F50000-memory.dmpFilesize
256KB
-
memory/1584-19-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3036-2-0x0000000000A20000-0x0000000000A60000-memory.dmpFilesize
256KB
-
memory/3036-8-0x00000000009F0000-0x0000000000A16000-memory.dmpFilesize
152KB
-
memory/3036-1-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/3036-0-0x0000000000E30000-0x0000000000F56000-memory.dmpFilesize
1.1MB
-
memory/3036-23-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/3036-7-0x0000000005C10000-0x0000000005C7C000-memory.dmpFilesize
432KB
-
memory/3036-6-0x0000000000A20000-0x0000000000A60000-memory.dmpFilesize
256KB
-
memory/3036-5-0x0000000074750000-0x0000000074E3E000-memory.dmpFilesize
6.9MB
-
memory/3036-3-0x0000000004C90000-0x0000000004D0C000-memory.dmpFilesize
496KB
-
memory/3036-4-0x0000000000850000-0x0000000000876000-memory.dmpFilesize
152KB