redline | 41257eb458426a09f3ae33dedb9d3b1e3c8828e0de60f0389a43f8390ca4e166

Analysis

max time kernel
141s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-01-2024 05:24

Target

581721e440712b96cc96d52122c5dc62.exe
Size

344KB
MD5

581721e440712b96cc96d52122c5dc62
SHA1

661da1d3828b8a5dcbbc3b2dabda7f35af57b1ac
SHA256

41257eb458426a09f3ae33dedb9d3b1e3c8828e0de60f0389a43f8390ca4e166
SHA512

03bb84e5490f9b5b540fe987a02a57112444deefa099a70026272620f34ea486869002025e60db774c6366c841d1af1e1b463a9b0ba5777c4f11ded2f25e73c3
SSDEEP

6144:GOI2RN2NiVXrr9phieyJ+RsHYlNbCwkzuhGMahHvaZo0t7VKa:/FRQNiVv9phiysHI3kC9ahHvae0Jw

Score

10^/10

Family

redline

Botnet

SewPalpadin

185.215.113.114:8887

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3052-4-0x0000000000950000-0x0000000000970000-memory.dmp	family_redline
behavioral1/memory/3052-7-0x00000000009E0000-0x00000000009FE000-memory.dmp	family_redline
behavioral1/memory/3052-12-0x0000000004F90000-0x0000000004FD0000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3052-4-0x0000000000950000-0x0000000000970000-memory.dmp	family_sectoprat
behavioral1/memory/3052-7-0x00000000009E0000-0x00000000009FE000-memory.dmp	family_sectoprat
behavioral1/memory/3052-12-0x0000000004F90000-0x0000000004FD0000-memory.dmp	family_sectoprat

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

581721e440712b96cc96d52122c5dc62.exe

description pid process

Token: SeDebugPrivilege 3052 581721e440712b96cc96d52122c5dc62.exe

description	pid	process
Token: SeDebugPrivilege	3052	581721e440712b96cc96d52122c5dc62.exe

C:\Users\Admin\AppData\Local\Temp\581721e440712b96cc96d52122c5dc62.exe
"C:\Users\Admin\AppData\Local\Temp\581721e440712b96cc96d52122c5dc62.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3052

memory/3052-2-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/3052-1-0x0000000000A50000-0x0000000000B50000-memory.dmp

Filesize
1024KB

Download
memory/3052-3-0x0000000000400000-0x000000000090C000-memory.dmp

Filesize
5.0MB

Download
memory/3052-4-0x0000000000950000-0x0000000000970000-memory.dmp

Filesize
128KB

Download
memory/3052-6-0x0000000004F90000-0x0000000004FD0000-memory.dmp

Filesize
256KB

Download
memory/3052-5-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/3052-7-0x00000000009E0000-0x00000000009FE000-memory.dmp

Filesize
120KB

Download
memory/3052-8-0x0000000000A50000-0x0000000000B50000-memory.dmp

Filesize
1024KB

Download
memory/3052-10-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/3052-12-0x0000000004F90000-0x0000000004FD0000-memory.dmp

Filesize
256KB

Download