redline | 69121cc59905d374c6a35a13940e855a9c68344a740471d7769e845a8ca0efc8

Analysis

max time kernel
153s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 22:58

Target

1f2f4b97cf33e38fd3673f203e663ae0.exe
Size

125KB
MD5

1f2f4b97cf33e38fd3673f203e663ae0
SHA1

691bce10f015d6b6c41656a2e6a249fde5dcc9a7
SHA256

69121cc59905d374c6a35a13940e855a9c68344a740471d7769e845a8ca0efc8
SHA512

aa29dbcd36effe15d19bd06425fbe3044dc2727fe02977b6a3437cf6b6d54cd6c7416f1434d0875a2e5d7b66d9e4a12a72d6c50a652f1869863e87c0c04f0275
SSDEEP

3072:ieYUmYrpIvqp+Wur9ftKLkvmt4XtgQ0Y+jneqW:iemYVEqp+WOf64XtgQ0YEnfW

Score

10^/10

Family

redline

Botnet

mix

135.181.175.182:10628

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2952-2-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2952-2-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

Processes:

1f2f4b97cf33e38fd3673f203e663ae0.exe

description pid process target process

PID 2012 set thread context of 2952 2012 1f2f4b97cf33e38fd3673f203e663ae0.exe RegSvcs.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1192 2012 WerFault.exe 1f2f4b97cf33e38fd3673f203e663ae0.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2952 RegSvcs.exe

description	pid	process	target process
PID 2012 set thread context of 2952	2012	1f2f4b97cf33e38fd3673f203e663ae0.exe	RegSvcs.exe

pid	pid_target	process	target process
1192	2012	WerFault.exe	1f2f4b97cf33e38fd3673f203e663ae0.exe

description	pid	process
Token: SeDebugPrivilege	2952	RegSvcs.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

1f2f4b97cf33e38fd3673f203e663ae0.exe

description	pid	process	target process
PID 2012 wrote to memory of 2952	2012	1f2f4b97cf33e38fd3673f203e663ae0.exe	RegSvcs.exe
PID 2012 wrote to memory of 2952	2012	1f2f4b97cf33e38fd3673f203e663ae0.exe	RegSvcs.exe
PID 2012 wrote to memory of 2952	2012	1f2f4b97cf33e38fd3673f203e663ae0.exe	RegSvcs.exe
PID 2012 wrote to memory of 2952	2012	1f2f4b97cf33e38fd3673f203e663ae0.exe	RegSvcs.exe
PID 2012 wrote to memory of 2952	2012	1f2f4b97cf33e38fd3673f203e663ae0.exe	RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 292
2⤵
- Program crash
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2012 -ip 2012
1⤵
PID:2040

memory/2012-1-0x0000000000E20000-0x0000000000F20000-memory.dmp

Filesize
1024KB

Download
memory/2952-2-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2952-7-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2952-8-0x0000000005A30000-0x0000000006048000-memory.dmp

Filesize
6.1MB

Download
memory/2952-9-0x0000000002F70000-0x0000000002F82000-memory.dmp

Filesize
72KB

Download
memory/2952-10-0x0000000005450000-0x000000000548C000-memory.dmp

Filesize
240KB

Download
memory/2952-11-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2952-12-0x0000000005490000-0x00000000054DC000-memory.dmp

Filesize
304KB

Download
memory/2952-13-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2952-14-0x00000000056D0000-0x00000000057DA000-memory.dmp

Filesize
1.0MB

Download
memory/2952-15-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download