Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2024, 02:54
Static task
static1
Behavioral task
behavioral1
Sample
57cbb7d00cb27f844a3b794703617734.exe
Resource
win7-20231215-en
General
-
Target
57cbb7d00cb27f844a3b794703617734.exe
-
Size
587KB
-
MD5
57cbb7d00cb27f844a3b794703617734
-
SHA1
636e852e6b75ecddca3cc8de5aecb088ab9328b0
-
SHA256
a3dcc6671290b07cb0b9f3fb57b347043d0e295628de1f378883114146842d4e
-
SHA512
bc254a63dbb01d633ccafd12f35a1ee69fd22d08cfa326b07a6a491535a5d4382e117db1e1b3746a31ccdf0700afbe9c9b9e24f2a015704d8c5ab4ec7592c06b
-
SSDEEP
12288:bkjhC163C5eA1GorPwwBwEdLFdP/p6LKVHbO/UqV:zwE13p
Malware Config
Extracted
redline
installzo
185.186.142.245:1778
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/3504-6-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 3 IoCs
resource yara_rule behavioral2/memory/3504-6-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral2/memory/3504-14-0x0000000005870000-0x0000000005880000-memory.dmp family_sectoprat behavioral2/memory/3504-18-0x0000000005870000-0x0000000005880000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2212 set thread context of 3504 2212 57cbb7d00cb27f844a3b794703617734.exe 92 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3504 57cbb7d00cb27f844a3b794703617734.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2212 wrote to memory of 3504 2212 57cbb7d00cb27f844a3b794703617734.exe 92 PID 2212 wrote to memory of 3504 2212 57cbb7d00cb27f844a3b794703617734.exe 92 PID 2212 wrote to memory of 3504 2212 57cbb7d00cb27f844a3b794703617734.exe 92 PID 2212 wrote to memory of 3504 2212 57cbb7d00cb27f844a3b794703617734.exe 92 PID 2212 wrote to memory of 3504 2212 57cbb7d00cb27f844a3b794703617734.exe 92 PID 2212 wrote to memory of 3504 2212 57cbb7d00cb27f844a3b794703617734.exe 92 PID 2212 wrote to memory of 3504 2212 57cbb7d00cb27f844a3b794703617734.exe 92 PID 2212 wrote to memory of 3504 2212 57cbb7d00cb27f844a3b794703617734.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\57cbb7d00cb27f844a3b794703617734.exe"C:\Users\Admin\AppData\Local\Temp\57cbb7d00cb27f844a3b794703617734.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\57cbb7d00cb27f844a3b794703617734.exeC:\Users\Admin\AppData\Local\Temp\57cbb7d00cb27f844a3b794703617734.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\57cbb7d00cb27f844a3b794703617734.exe.log
Filesize700B
MD5e5352797047ad2c91b83e933b24fbc4f
SHA19bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827