Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 11:35
Behavioral task
behavioral1
Sample
348ec113dac9d1ad8c37ed33efb9e98d.exe
Resource
win7-20231129-en
General
-
Target
348ec113dac9d1ad8c37ed33efb9e98d.exe
-
Size
1013KB
-
MD5
348ec113dac9d1ad8c37ed33efb9e98d
-
SHA1
0155e7ee208657b1970d4d6e42d1f18096eb4fbe
-
SHA256
f1199e5b5953534ddbb788d136dd99e6c1d20698458afc9c01b70972b2b3b9af
-
SHA512
54fa4c4defecdd3b11a95600d4806d1be8350424f146dd82c929a398d44a5c962fd711566f454551eeb53c1bbfc8d74b8e175fe541fce0bcbf9ab06106296de8
-
SSDEEP
24576:cT3oblY5lxt9Yi/+eX+ZGfJglBBK2xfLT:cT3KlkxtaeOZGfJgDBK2tH
Malware Config
Extracted
redline
10
wemakeclay.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2608-20-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2608-18-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2608-16-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2608-12-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2608-10-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2608-20-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2608-18-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2608-16-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2608-12-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2608-10-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2220-0-0x0000000000AA0000-0x0000000000BA2000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
348ec113dac9d1ad8c37ed33efb9e98d.exedescription pid process target process PID 2220 set thread context of 2608 2220 348ec113dac9d1ad8c37ed33efb9e98d.exe 348ec113dac9d1ad8c37ed33efb9e98d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
348ec113dac9d1ad8c37ed33efb9e98d.exedescription pid process Token: SeDebugPrivilege 2608 348ec113dac9d1ad8c37ed33efb9e98d.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
348ec113dac9d1ad8c37ed33efb9e98d.exedescription pid process target process PID 2220 wrote to memory of 2608 2220 348ec113dac9d1ad8c37ed33efb9e98d.exe 348ec113dac9d1ad8c37ed33efb9e98d.exe PID 2220 wrote to memory of 2608 2220 348ec113dac9d1ad8c37ed33efb9e98d.exe 348ec113dac9d1ad8c37ed33efb9e98d.exe PID 2220 wrote to memory of 2608 2220 348ec113dac9d1ad8c37ed33efb9e98d.exe 348ec113dac9d1ad8c37ed33efb9e98d.exe PID 2220 wrote to memory of 2608 2220 348ec113dac9d1ad8c37ed33efb9e98d.exe 348ec113dac9d1ad8c37ed33efb9e98d.exe PID 2220 wrote to memory of 2608 2220 348ec113dac9d1ad8c37ed33efb9e98d.exe 348ec113dac9d1ad8c37ed33efb9e98d.exe PID 2220 wrote to memory of 2608 2220 348ec113dac9d1ad8c37ed33efb9e98d.exe 348ec113dac9d1ad8c37ed33efb9e98d.exe PID 2220 wrote to memory of 2608 2220 348ec113dac9d1ad8c37ed33efb9e98d.exe 348ec113dac9d1ad8c37ed33efb9e98d.exe PID 2220 wrote to memory of 2608 2220 348ec113dac9d1ad8c37ed33efb9e98d.exe 348ec113dac9d1ad8c37ed33efb9e98d.exe PID 2220 wrote to memory of 2608 2220 348ec113dac9d1ad8c37ed33efb9e98d.exe 348ec113dac9d1ad8c37ed33efb9e98d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\348ec113dac9d1ad8c37ed33efb9e98d.exe"C:\Users\Admin\AppData\Local\Temp\348ec113dac9d1ad8c37ed33efb9e98d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\348ec113dac9d1ad8c37ed33efb9e98d.exe"C:\Users\Admin\AppData\Local\Temp\348ec113dac9d1ad8c37ed33efb9e98d.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2220-21-0x0000000074E70000-0x000000007555E000-memory.dmpFilesize
6.9MB
-
memory/2220-4-0x0000000074E70000-0x000000007555E000-memory.dmpFilesize
6.9MB
-
memory/2220-0-0x0000000000AA0000-0x0000000000BA2000-memory.dmpFilesize
1.0MB
-
memory/2220-7-0x00000000006E0000-0x0000000000712000-memory.dmpFilesize
200KB
-
memory/2220-3-0x0000000000320000-0x0000000000338000-memory.dmpFilesize
96KB
-
memory/2220-5-0x0000000004EC0000-0x0000000004F00000-memory.dmpFilesize
256KB
-
memory/2220-6-0x0000000008060000-0x00000000080FE000-memory.dmpFilesize
632KB
-
memory/2220-1-0x0000000074E70000-0x000000007555E000-memory.dmpFilesize
6.9MB
-
memory/2220-2-0x0000000004EC0000-0x0000000004F00000-memory.dmpFilesize
256KB
-
memory/2608-23-0x0000000004E20000-0x0000000004E60000-memory.dmpFilesize
256KB
-
memory/2608-22-0x0000000074E70000-0x000000007555E000-memory.dmpFilesize
6.9MB
-
memory/2608-8-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2608-20-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2608-16-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2608-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2608-12-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2608-10-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2608-9-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2608-18-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2608-24-0x0000000074E70000-0x000000007555E000-memory.dmpFilesize
6.9MB
-
memory/2608-25-0x0000000004E20000-0x0000000004E60000-memory.dmpFilesize
256KB