Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2024, 03:05
Static task
static1
Behavioral task
behavioral1
Sample
57d0d960e4b7a4d91ba76ed63733f651.exe
Resource
win7-20231215-en
General
-
Target
57d0d960e4b7a4d91ba76ed63733f651.exe
-
Size
594KB
-
MD5
57d0d960e4b7a4d91ba76ed63733f651
-
SHA1
4b2beaabb4db2d61b0e38be8fe7554a7cb07f273
-
SHA256
4ef7c382cc0efa37b7d009d78ae2e4cb023be523ba22d5f4b90a858123ea1be0
-
SHA512
b24e65205839111f7ba0aa1a58bb7b56c334961cbe3288fc36bcff92b96576e096c302cc8c1c9060a2c40c041c3b548af131126008437c28678758796e7de38e
-
SSDEEP
12288:rU9zXTkRC7igcqkAWt4A457juR2u1BIZ1FlAMe15:rKXnFe5
Malware Config
Extracted
redline
EU3
185.234.247.197:33071
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4976-6-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/4976-6-0x0000000000400000-0x0000000000420000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2740 set thread context of 4976 2740 57d0d960e4b7a4d91ba76ed63733f651.exe 92 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 2404 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2740 wrote to memory of 4976 2740 57d0d960e4b7a4d91ba76ed63733f651.exe 92 PID 2740 wrote to memory of 4976 2740 57d0d960e4b7a4d91ba76ed63733f651.exe 92 PID 2740 wrote to memory of 4976 2740 57d0d960e4b7a4d91ba76ed63733f651.exe 92 PID 2740 wrote to memory of 4976 2740 57d0d960e4b7a4d91ba76ed63733f651.exe 92 PID 2740 wrote to memory of 4976 2740 57d0d960e4b7a4d91ba76ed63733f651.exe 92 PID 2740 wrote to memory of 4976 2740 57d0d960e4b7a4d91ba76ed63733f651.exe 92 PID 2740 wrote to memory of 4976 2740 57d0d960e4b7a4d91ba76ed63733f651.exe 92 PID 2740 wrote to memory of 4976 2740 57d0d960e4b7a4d91ba76ed63733f651.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\57d0d960e4b7a4d91ba76ed63733f651.exe"C:\Users\Admin\AppData\Local\Temp\57d0d960e4b7a4d91ba76ed63733f651.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\57d0d960e4b7a4d91ba76ed63733f651.exeC:\Users\Admin\AppData\Local\Temp\57d0d960e4b7a4d91ba76ed63733f651.exe2⤵PID:4976
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:1796
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\57d0d960e4b7a4d91ba76ed63733f651.exe.log
Filesize700B
MD5e5352797047ad2c91b83e933b24fbc4f
SHA19bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827