Malware Analysis Report

2025-08-06 02:59

Sample ID 240112-whfmxscghl
Target 571ec37bbc0a7b94c3a3829ee47e5bad
SHA256 459a684a6e6299ffbd967855a504ff2311cba4a8eccae192b1f4146cc3bf7382
Tags
redline sectoprat cryptex0816 infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

459a684a6e6299ffbd967855a504ff2311cba4a8eccae192b1f4146cc3bf7382

Threat Level: Known bad

The file 571ec37bbc0a7b94c3a3829ee47e5bad was found to be: Known bad.

Malicious Activity Summary

redline sectoprat cryptex0816 infostealer rat trojan

RedLine payload

SectopRAT

SectopRAT payload

RedLine

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-12 17:55

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-12 17:55

Reported

2024-01-12 17:57

Platform

win10v2004-20231215-en

Max time kernel

153s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1028 set thread context of 4824 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1028 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
PID 1028 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
PID 1028 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
PID 1028 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
PID 1028 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
PID 1028 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
PID 1028 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
PID 1028 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe

"C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe"

C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe

"C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
NL 185.92.73.140:80 185.92.73.140 tcp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 140.73.92.185.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp

Files

memory/1028-0-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/1028-1-0x0000000000A40000-0x0000000000A66000-memory.dmp

memory/1028-2-0x0000000005920000-0x0000000005EC4000-memory.dmp

memory/1028-3-0x0000000005450000-0x00000000054EC000-memory.dmp

memory/1028-4-0x00000000053B0000-0x00000000053D4000-memory.dmp

memory/1028-5-0x0000000005420000-0x0000000005430000-memory.dmp

memory/4824-6-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\571ec37bbc0a7b94c3a3829ee47e5bad.exe.log

MD5 f5a69d9216974a1b017e4e94be20c63f
SHA1 6993175a82e6ffa484b2bfbf691668f11484ef17
SHA256 471ce598bfe72b7166f3e1b669c84436e2d6cb758dd98e8d0e4cb44a230f42ee
SHA512 d9164f8573c6cabd01357e8f27e1500100ae932aed51f6a08734dc739e36c61e2e8b231f6ce3aaac2d9b279c3ade0ad7c5189925ee7d75d4820acfdd2cac11fd

memory/4824-10-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/1028-9-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/4824-11-0x00000000057F0000-0x0000000005E08000-memory.dmp

memory/4824-12-0x0000000005290000-0x00000000052A2000-memory.dmp

memory/4824-13-0x00000000052F0000-0x000000000532C000-memory.dmp

memory/4824-14-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/4824-15-0x0000000005330000-0x000000000537C000-memory.dmp

memory/4824-16-0x0000000005610000-0x000000000571A000-memory.dmp

memory/4824-17-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/4824-18-0x00000000054F0000-0x0000000005500000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-12 17:55

Reported

2024-01-12 17:57

Platform

win7-20231215-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2088 set thread context of 1456 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
PID 2088 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
PID 2088 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
PID 2088 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
PID 2088 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
PID 2088 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
PID 2088 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
PID 2088 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
PID 2088 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe

"C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe"

C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe

"C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe"

Network

Country Destination Domain Proto
NL 185.92.73.140:80 185.92.73.140 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp

Files

memory/2088-0-0x0000000000BD0000-0x0000000000BF6000-memory.dmp

memory/2088-1-0x0000000074420000-0x0000000074B0E000-memory.dmp

memory/2088-2-0x0000000000540000-0x0000000000564000-memory.dmp

memory/2088-3-0x0000000004C70000-0x0000000004CB0000-memory.dmp

memory/1456-4-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1456-6-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1456-8-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1456-10-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1456-12-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1456-14-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2088-16-0x0000000074420000-0x0000000074B0E000-memory.dmp

memory/1456-17-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1456-19-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1456-20-0x0000000073D30000-0x000000007441E000-memory.dmp

memory/1456-21-0x0000000004340000-0x0000000004380000-memory.dmp

memory/1456-22-0x0000000073D30000-0x000000007441E000-memory.dmp

memory/1456-23-0x0000000004340000-0x0000000004380000-memory.dmp