redline | ede58b194ccbae4f7791de9dc2dff85077c69065061d44585e7f2410efbca877

Analysis

max time kernel
149s
max time network
166s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 00:16

Target

215780b0ede9fa802540127e703d19db.exe
Size

191KB
MD5

215780b0ede9fa802540127e703d19db
SHA1

21b73769af967c94bc9ca2ce734c60ae858d12fd
SHA256

ede58b194ccbae4f7791de9dc2dff85077c69065061d44585e7f2410efbca877
SHA512

aeeafe0b87be2984a23dd838166acb5ea4e6b4e3e126cdf0401f498df7feff4f1b44f3641d4a52619d3b80b5c9a2ddb9b07c411e2ecaa7f8380ce86687e39cbf
SSDEEP

3072:PTjHRYy1ytHd8VBoWJ0ILe7kOL5HsQNRJ0OPq3ZsWhJ7AX6MzmrdQAzTJ8/vHUVG:bzRS5qLoDued5sQNRhiJsWj7bMETJ8/x

Score

10^/10

Family

redline

Botnet

727

qumaranero.xyz:80

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2804-4-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2804-7-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2804-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2804-4-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2804-7-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2804-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2804-11-0x0000000000460000-0x00000000004A0000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

Processes:

215780b0ede9fa802540127e703d19db.exe

description pid process target process

PID 2192 set thread context of 2804 2192 215780b0ede9fa802540127e703d19db.exe 215780b0ede9fa802540127e703d19db.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

215780b0ede9fa802540127e703d19db.exe215780b0ede9fa802540127e703d19db.exe

description pid process

Token: SeDebugPrivilege 2192 215780b0ede9fa802540127e703d19db.exe
Token: SeDebugPrivilege 2804 215780b0ede9fa802540127e703d19db.exe

description	pid	process	target process
PID 2192 set thread context of 2804	2192	215780b0ede9fa802540127e703d19db.exe	215780b0ede9fa802540127e703d19db.exe

description	pid	process
Token: SeDebugPrivilege	2192	215780b0ede9fa802540127e703d19db.exe
Token: SeDebugPrivilege	2804	215780b0ede9fa802540127e703d19db.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

215780b0ede9fa802540127e703d19db.exe

description	pid	process	target process
PID 2192 wrote to memory of 2804	2192	215780b0ede9fa802540127e703d19db.exe	215780b0ede9fa802540127e703d19db.exe
PID 2192 wrote to memory of 2804	2192	215780b0ede9fa802540127e703d19db.exe	215780b0ede9fa802540127e703d19db.exe
PID 2192 wrote to memory of 2804	2192	215780b0ede9fa802540127e703d19db.exe	215780b0ede9fa802540127e703d19db.exe
PID 2192 wrote to memory of 2804	2192	215780b0ede9fa802540127e703d19db.exe	215780b0ede9fa802540127e703d19db.exe
PID 2192 wrote to memory of 2804	2192	215780b0ede9fa802540127e703d19db.exe	215780b0ede9fa802540127e703d19db.exe
PID 2192 wrote to memory of 2804	2192	215780b0ede9fa802540127e703d19db.exe	215780b0ede9fa802540127e703d19db.exe
PID 2192 wrote to memory of 2804	2192	215780b0ede9fa802540127e703d19db.exe	215780b0ede9fa802540127e703d19db.exe
PID 2192 wrote to memory of 2804	2192	215780b0ede9fa802540127e703d19db.exe	215780b0ede9fa802540127e703d19db.exe
PID 2192 wrote to memory of 2804	2192	215780b0ede9fa802540127e703d19db.exe	215780b0ede9fa802540127e703d19db.exe

C:\Users\Admin\AppData\Local\Temp\215780b0ede9fa802540127e703d19db.exe
C:\Users\Admin\AppData\Local\Temp\215780b0ede9fa802540127e703d19db.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804

memory/2192-0-0x0000000000C90000-0x0000000000CC4000-memory.dmp

Filesize
208KB

Download
memory/2192-1-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/2192-2-0x00000000003D0000-0x0000000000410000-memory.dmp

Filesize
256KB

Download
memory/2192-3-0x0000000000420000-0x0000000000434000-memory.dmp

Filesize
80KB

Download
memory/2192-6-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-4-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2804-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2804-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2804-10-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-11-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download
memory/2804-12-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-13-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download