Overview

overview

10

Static

static

3

1637661fce...29.exe

windows7-x64

10

1637661fce...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 10:40

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1637661fced5903b3db6ad8f4633a729.exe

  • Size

    1.0MB

  • MD5

    1637661fced5903b3db6ad8f4633a729

  • SHA1

    877feda7fc9bcf645efb7c58382e8c398e7b4f9e

  • SHA256

    634206b8256faa12b0664ad3b1fb101d26d884d761688193fee177ce8ed48723

  • SHA512

    138c7ff28b0dab1ac095a9eded3684b68eaabdcba18f8fc860bfabab562ca5b4358aaf75a6d0644a44d440fab5a84d58eeaa813c8b2395074821635911736593

  • SSDEEP

    24576:rSLXjRGOsO3AhBe1Qnh0aZP000Ibavym04b+Jimrn+0MwduFMMh9I/T6:EzRGOsO3AhBe1zaN00qy7HQmrn+lrFy6

Score
10/10
redlinesectopratstraightinfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

Straight

C2

2.56.59.35:43636

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1637661fced5903b3db6ad8f4633a729.exe
    "C:\Users\Admin\AppData\Local\Temp\1637661fced5903b3db6ad8f4633a729.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\SysWOW64\dllhost.exe
      "C:\Windows\System32\dllhost.exe"
      2⤵
        PID:2676
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c cmd < Smarrito.potx
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^EEooMPoWPFfAikdlGlnQpNsfZEiuPvmTPikfoSRsEVXYToUUEvmliuLQjSpiHeiaycKZqweOaujhQzvRJhCaWgLJvcefIJJCNESbbVUDxLSwUbZTvsbxmOvQJwDEYMyIvKmkBYxOzZYkvK$" Ricordate.potx
            4⤵
              PID:2812
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Infinita.exe.com
              Infinita.exe.com w
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:2712
              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Infinita.exe.com
                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Infinita.exe.com w
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:2604
                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of AdjustPrivilegeToken
                  PID:436
            • C:\Windows\SysWOW64\PING.EXE
              ping QVMRJQQO -n 30
              4⤵
              • Runs ping.exe
              PID:2060

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Felicita.potx
              Filesize

              956KB

              MD5

              a6ac8662aeb5e762bd55b4e2ce4b6127

              SHA1

              711dc5f1100e5bf9c8fa1e27fe154629ed93d564

              SHA256

              827bbe792e3f1507a4a8dc9b6ee0303556334f7cbdd5eaf2f7edd2afc6c85dd0

              SHA512

              7cff7ab20739a63064941d0a4e9099748533765672d11f0de1b6f306b3499c3e301206393830b52a42e99b084521000047c2b59713b10cf8c2704d6df562cf35

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ricordate.potx
              Filesize

              872KB

              MD5

              88888053a0a1c4a2ebacd522db3766e4

              SHA1

              47eaafc429f873a5aa3df6d4ffaa42f6dc8c46e0

              SHA256

              81b20754530a93459315d649beea88c776e71c0e4dfca3679895b5baf8cf439d

              SHA512

              8414ff76fb5594b5e1a33e14d67225e1456082ae63fe0dd2d178373f4339882b6dd68972c5f5b8a132181c8e6b6d3132e67cb8a6b8d38e5f048650c8cf79e064

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Smarrito.potx
              Filesize

              537B

              MD5

              bedb18104f10045b04757fecd7dff6fc

              SHA1

              9ff5c6547d0f2ead6a5d42ea75c28a20cd773b46

              SHA256

              0aa6bd4bc45c7d6350eee4c1b6b4693cc0ec5536bf7e9f3afa991462efa86b45

              SHA512

              67d05403b206bf1a2dd85432b1bdf8936f400d1ffa99a7e66e17c09043b234dc046405bc529148aa4947997b9318edb5693ff410829a764c857e2439328c33e2

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vorrei.potx
              Filesize

              100KB

              MD5

              aa17feebbc09be6bbde85270d81ea0ab

              SHA1

              33f71eaef043063b9102d9e917d75179b5fbcfd2

              SHA256

              85bac5060a1d05f5e00e38c267a0ccbe4d62daa0bc936b5f6f6a366ef41ec73b

              SHA512

              4d6ff7d529120147ecc829622a74461f40d1af4839e74d71080961a614355cb7f6732b4bf9de0e1d74e08b8fbe9158e3cb7013447a4a169479a1e03d9f5a861e

              Download Submit

            • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\Infinita.exe.com
              Filesize

              872KB

              MD5

              c56b5f0201a3b3de53e561fe76912bfd

              SHA1

              2a4062e10a5de813f5688221dbeb3f3ff33eb417

              SHA256

              237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

              SHA512

              195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

              Download Submit

            • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
              Filesize

              63KB

              MD5

              b58b926c3574d28d5b7fdd2ca3ec30d5

              SHA1

              d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

              SHA256

              6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

              SHA512

              b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

              Download Submit

            • memory/436-29-0x00000000000D0000-0x00000000000EE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/436-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/436-32-0x00000000000D0000-0x00000000000EE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/436-36-0x00000000000D0000-0x00000000000EE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/436-38-0x00000000000D0000-0x00000000000EE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/2604-25-0x00000000001A0000-0x00000000001A1000-memory.dmp

              Filesize

              4KB

              Download