Analysis
-
max time kernel
141s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12/01/2024, 19:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
575cddd17ff8d7127e66797e14b82213.exe
Resource
win7-20231215-en
6 signatures
150 seconds
General
-
Target
575cddd17ff8d7127e66797e14b82213.exe
-
Size
2.0MB
-
MD5
575cddd17ff8d7127e66797e14b82213
-
SHA1
3a4524d531ad39fbebef2f8c5973aee350c79332
-
SHA256
8b57e63ca7ed0ec0c3c152ed8ff71fa6156664008df4e3f75a4cf56db2c44f41
-
SHA512
f674532cd7fa31f00f267c3c866ff0c1359aa0e3c18860db587263bdf4051408f98df500909c77badcc97998554092e9dae907fffd75fd912452af531c106938
-
SSDEEP
49152:SC82pr6Xm2TEalaSOO6mhSq0eVkLPxHUONG5hWY3KF:SCz6DEalaS96k0MkjbEGM
Malware Config
Extracted
Family
redline
Botnet
Ixori228
C2
185.172.129.61:52372
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SectopRAT payload 16 IoCs
resource yara_rule behavioral1/memory/2928-4-0x0000000001290000-0x0000000001BAA000-memory.dmp family_sectoprat behavioral1/memory/2928-3-0x0000000001290000-0x0000000001BAA000-memory.dmp family_sectoprat behavioral1/memory/2928-6-0x0000000001290000-0x0000000001BAA000-memory.dmp family_sectoprat behavioral1/memory/2928-8-0x0000000001290000-0x0000000001BAA000-memory.dmp family_sectoprat behavioral1/memory/2928-11-0x0000000001290000-0x0000000001BAA000-memory.dmp family_sectoprat behavioral1/memory/2928-12-0x0000000001290000-0x0000000001BAA000-memory.dmp family_sectoprat behavioral1/memory/2928-13-0x0000000001290000-0x0000000001BAA000-memory.dmp family_sectoprat behavioral1/memory/2928-14-0x0000000001290000-0x0000000001BAA000-memory.dmp family_sectoprat behavioral1/memory/2928-15-0x0000000001290000-0x0000000001BAA000-memory.dmp family_sectoprat behavioral1/memory/2928-16-0x0000000001290000-0x0000000001BAA000-memory.dmp family_sectoprat behavioral1/memory/2928-17-0x0000000001290000-0x0000000001BAA000-memory.dmp family_sectoprat behavioral1/memory/2928-18-0x0000000001290000-0x0000000001BAA000-memory.dmp family_sectoprat behavioral1/memory/2928-19-0x0000000001290000-0x0000000001BAA000-memory.dmp family_sectoprat behavioral1/memory/2928-20-0x0000000001290000-0x0000000001BAA000-memory.dmp family_sectoprat behavioral1/memory/2928-21-0x0000000001290000-0x0000000001BAA000-memory.dmp family_sectoprat behavioral1/memory/2928-22-0x0000000001290000-0x0000000001BAA000-memory.dmp family_sectoprat -
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
pid Process 2928 575cddd17ff8d7127e66797e14b82213.exe 2928 575cddd17ff8d7127e66797e14b82213.exe 2928 575cddd17ff8d7127e66797e14b82213.exe 2928 575cddd17ff8d7127e66797e14b82213.exe 2928 575cddd17ff8d7127e66797e14b82213.exe 2928 575cddd17ff8d7127e66797e14b82213.exe 2928 575cddd17ff8d7127e66797e14b82213.exe 2928 575cddd17ff8d7127e66797e14b82213.exe 2928 575cddd17ff8d7127e66797e14b82213.exe 2928 575cddd17ff8d7127e66797e14b82213.exe 2928 575cddd17ff8d7127e66797e14b82213.exe 2928 575cddd17ff8d7127e66797e14b82213.exe 2928 575cddd17ff8d7127e66797e14b82213.exe 2928 575cddd17ff8d7127e66797e14b82213.exe 2928 575cddd17ff8d7127e66797e14b82213.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2928 575cddd17ff8d7127e66797e14b82213.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2928 575cddd17ff8d7127e66797e14b82213.exe