Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2024, 16:12
Static task
static1
Behavioral task
behavioral1
Sample
5928745f1d5cab62de613b4c5f558df1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5928745f1d5cab62de613b4c5f558df1.exe
Resource
win10v2004-20231215-en
General
-
Target
5928745f1d5cab62de613b4c5f558df1.exe
-
Size
2.3MB
-
MD5
5928745f1d5cab62de613b4c5f558df1
-
SHA1
4a511b360df83b69f9144e6fb23f3ea0b133ccfd
-
SHA256
10cdc1c1b8112716b5aec0caba5db1cef422176c550288f4952473c216357466
-
SHA512
e81ce51d581ac136d5884730a8af696f006ddc2e6d6f334cfab9195f6db5e1f75adcddd53a6d4ebed60753e45cd65d19a15f25886b3dd3a988f5794b4e71df9a
-
SSDEEP
49152:/5+hFVRTb0i5i+7baItMOV861aT0Sxiz8lVHTIioOFZQ+A:/5aFVSi5B7OICOV83ISxiqZ7A
Malware Config
Extracted
redline
@lovefuckwithyourmom
xetadycami.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x000600000002320e-46.dat family_redline behavioral2/memory/2740-47-0x0000000000440000-0x000000000045E000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
resource yara_rule behavioral2/files/0x000600000002320e-46.dat family_sectoprat behavioral2/memory/2740-47-0x0000000000440000-0x000000000045E000-memory.dmp family_sectoprat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 5928745f1d5cab62de613b4c5f558df1.exe -
Executes dropped EXE 6 IoCs
pid Process 2224 7z.exe 1640 7z.exe 396 7z.exe 4900 7z.exe 2568 7z.exe 2740 @lovefuckwithyourmom.exe -
Loads dropped DLL 5 IoCs
pid Process 2224 7z.exe 1640 7z.exe 396 7z.exe 4900 7z.exe 2568 7z.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeRestorePrivilege 2224 7z.exe Token: 35 2224 7z.exe Token: SeSecurityPrivilege 2224 7z.exe Token: SeSecurityPrivilege 2224 7z.exe Token: SeRestorePrivilege 1640 7z.exe Token: 35 1640 7z.exe Token: SeSecurityPrivilege 1640 7z.exe Token: SeSecurityPrivilege 1640 7z.exe Token: SeRestorePrivilege 396 7z.exe Token: 35 396 7z.exe Token: SeSecurityPrivilege 396 7z.exe Token: SeSecurityPrivilege 396 7z.exe Token: SeRestorePrivilege 4900 7z.exe Token: 35 4900 7z.exe Token: SeSecurityPrivilege 4900 7z.exe Token: SeSecurityPrivilege 4900 7z.exe Token: SeRestorePrivilege 2568 7z.exe Token: 35 2568 7z.exe Token: SeSecurityPrivilege 2568 7z.exe Token: SeSecurityPrivilege 2568 7z.exe Token: SeDebugPrivilege 2740 @lovefuckwithyourmom.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3600 wrote to memory of 1572 3600 5928745f1d5cab62de613b4c5f558df1.exe 91 PID 3600 wrote to memory of 1572 3600 5928745f1d5cab62de613b4c5f558df1.exe 91 PID 1572 wrote to memory of 4572 1572 cmd.exe 93 PID 1572 wrote to memory of 4572 1572 cmd.exe 93 PID 1572 wrote to memory of 2224 1572 cmd.exe 95 PID 1572 wrote to memory of 2224 1572 cmd.exe 95 PID 1572 wrote to memory of 1640 1572 cmd.exe 102 PID 1572 wrote to memory of 1640 1572 cmd.exe 102 PID 1572 wrote to memory of 396 1572 cmd.exe 101 PID 1572 wrote to memory of 396 1572 cmd.exe 101 PID 1572 wrote to memory of 4900 1572 cmd.exe 96 PID 1572 wrote to memory of 4900 1572 cmd.exe 96 PID 1572 wrote to memory of 2568 1572 cmd.exe 100 PID 1572 wrote to memory of 2568 1572 cmd.exe 100 PID 1572 wrote to memory of 4260 1572 cmd.exe 99 PID 1572 wrote to memory of 4260 1572 cmd.exe 99 PID 1572 wrote to memory of 2740 1572 cmd.exe 98 PID 1572 wrote to memory of 2740 1572 cmd.exe 98 PID 1572 wrote to memory of 2740 1572 cmd.exe 98 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4260 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe"C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"2⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\system32\mode.commode 65,103⤵PID:4572
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e file.zip -p -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_2.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe"@lovefuckwithyourmom.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\system32\attrib.exeattrib +H "@lovefuckwithyourmom.exe"3⤵
- Views/modifies file attributes
PID:4260
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_1.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_3.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_4.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
558KB
MD5e1fee3d3780c73637252b69e44f3e85f
SHA1ea3255fd0b61ac92323a91e2463dd20b44edf66e
SHA256f01b05966047f5d3931520d1ae7c85dd548e7082699dddc2503a5c42063bda3f
SHA512cd5455f93330f03f9d0f4c2771ee32ea799332b5dc937a2e7b3cae414f22e7b4acc32225abf161c2070163f6e300fce6c5f1b25f3ac2ce51c609d0187c2a5f62
-
Filesize
561KB
MD5bdac165c36265693370205114caa5ee3
SHA14f5fe76e41f3cced90330b320bb8144b408f9fd5
SHA256e1f8abc6554a84ccf75d9381de5e2c36fa87ef753195e8de9483de2c0aa3f191
SHA5121bf1d87512878b0075a71c1fb1653fe34c3e4706d7404c89185b7adb29f83477e0d00374a3c4d54a123cf90fff8b317f9a50881b9708513b6e45fc1691e7fd3b
-
Filesize
455KB
MD5a634e737a02bd2a753244cedd5c7e4c9
SHA14c62c69503559c20ced8e5e6c5b78e0db0489c47
SHA256d9af7e478af877b40f6874c1c75d5738d92688f1fe94e267652b47f70a27665f
SHA51274084f193187d3fda6f19857b8e366bb24d64e769fc3aa68d3d7c5630bdb2f061fceeaebd91b2a044b41d829539f6f3699e8e3ce462b40af99c9d3557fa1e06c
-
Filesize
149KB
MD56e7f44d7e49dd8489800f51c52cf9b42
SHA1ab014142cae263ec1ebcada6cd9386a99f7b34e2
SHA256941b2a461e38971206e4cc7e9c08bae0641580aaecbb12a231e12feec2598566
SHA5126bc1f37ac57c48bd5853dd55348f89ecf0178ae4e44cdb7a0c68ec1ea59165a24a7a241fd4d164c6d9dbba5b31e43937041902a137b6f2f441986c50054e0227
-
Filesize
143KB
MD55ccdaa140e9f3518e64b6e8884df5398
SHA1c39a7a3ecca0032e84246a4da17b6b8bab671f91
SHA256aabadb4ab4cfb509ae8be07dae1871e8525f905252d83a57f67da616862e3b35
SHA512ae13ec1ed7ae8b65a490b15fc6024e5051f5ef29c2f9f2daca5c616ab1924e6ed762077f2ecdd96ba2e817d1d6210fbf5d937b5b326ec2950dabbdd619ba6f8c
-
Filesize
294KB
MD573d18262d494f3b4f7b279096b706022
SHA12858c5bd367f18a1936ec4fa00d2ea820af927ec
SHA2561191f1207072a5af094b3cbf204b3575d6adf4695d0fdd6c71779a98e150cce8
SHA5123b25da3326fa8fe1acebcb1a315e325f0525beae99114c8f672db5c736ebfd2131ced1beced6f9df71e2ce274ae66787e103c29eeb8f7ec285aab4302d1c748b
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
366KB
MD514b6af849c769dca4b2767a278af1631
SHA10cc2c472f3e6ed2918ec5bfc9eaab2d47ba0222e
SHA256d3a85adace40351dfbdae6be6562e0d5260356355c81663f7ce2955daa0bf24d
SHA512e4e924e2454a849e914ce68b647193773cf7a7afa0e81b50af4c6b8b94faad065901fc33345e66aac59915e7f1b2bd4ea6161560b01d858811096a93cdd85019
-
Filesize
442KB
MD5a7d8c374a1af75b4ae33ec2d676b18ab
SHA1c569b32fb85d97d75e49570a2bcd4c4b35257e0e
SHA25631f81296189821e78508ba43aeec6fcc36a1e8de4e408a0178802780d293cb0d
SHA512455e6501b0dfbda71bb627ddf8532f2fa664e52ad1796bc25a2aff78766eb327f98263e32538efaf1ae1d6add0ec30f1103ac4eb93da2faabb37c86e3d7dd5dc
-
Filesize
291KB
MD5b899b8cbf798b772b21f4a66e70d7214
SHA15f0c1b1d3aaaffd77f5de7ec6e1ab7ad8dad4a8c
SHA256921e44cc8144af642e3e420d66060a97c5b0d04f415783420f7c20d391c6ca09
SHA5122b381a80fc7cc619ffeff8df38af61e95f23b6d09c3a461533c07556285a1dd1a88fecbb7be51416ec0fd83bdebd1c590fb6580ff3c9ef87cfbbb2e5653f2dd9
-
Filesize
247KB
MD50ac45708dce897ea32d6812fe54898d3
SHA1496f87ee4c39b8227d21d52d2d534fcec6438345
SHA256f119981b4e6b05c6892e7bd1dea9b2673594f66daaf1176fdceaa4402928b003
SHA51277ed189ca457a1e2632176e46ad872f8edb691ca9d675b41eb3edf096073c664cf69f7fc49d322dddc9eecc0be1f250cfc428b58262d536a271a3fae9b247acd
-
Filesize
335KB
MD5c01f69339fc0f3ef16f8ba3786a1e365
SHA152db3644a3dfcdff0732a3b743054b72c087283f
SHA25667c037cce11ab150d0e447a3dfe1b502b85bd777e739c2ba4e0d23f79bc9c293
SHA5124720c5e8cb2dc504e9780b178973a342cf805f4076254ecc08876ce609f1a8c36a4f436aae892514de42a0f4398f775f2be4629e583aceb387ac2d03dc87dcea
-
Filesize
100KB
MD5f715021bca8947192b494a037ddae36b
SHA1d2a70a50a0258a7d471d3f8043808f962282fc7e
SHA2563508971255c901dccbe8a461de9fa390add18675e44bfa55a2c792f62cf7db62
SHA512ce3801a52248785a41d1db4c284b3c06f18d7753555659bbb36ac960d5cf4990c33d5981620090dbf07bd009951d0760b5c8e529ac64c973deade35d36c0d35f
-
Filesize
170KB
MD52fba0ef603d9b47f29bd69bc7d742bc3
SHA16ef6ce5db6e19c082e7795ea9638e58b22267da7
SHA25604cd304865c4f2a5a1a40cc60cd8a4165af1a6e299c46486d933e9f4cf9b7652
SHA512fca6b2dbc922351cbf78cd70b37364d8f333f078f34f7cfdc34dca108004f27c3dc9accb69c5fb1469cc9344622976656a7a5979966b1ca272787e46df2713e8
-
Filesize
40KB
MD5f8fdd24daf1aa469ac0e32e9b1459ab6
SHA123dd9dd5b626c364a964cf583b045c8197b12d74
SHA256e8f4204e1b3ceca11d1865e28201761c1b4017b30377ca4c1639c7ccac952949
SHA51205843ad3518438b825c7864854e6a8f7a3538bfd76327b8fb652a073ad38df60051c1ab420e89d78b9b02a14f74a535f03b0f0340259c13c4aad200c60898aba
-
Filesize
40KB
MD59679f15a03e532c442b86b99d901637f
SHA143e4579628d2201dc556ebf4d29464fb777e2238
SHA256487f4d740ba3d9c42a5c6e624f34d3e20a330418d2925e2fec2fde37bb64a7d1
SHA5128097846f22e81885844a42e63fc34218affad7d4cc659b94350f45955353d324d8f107eb2228606b7f14a6fedce2f1184e69c2dec07b6625d1ca00771fa03236
-
Filesize
40KB
MD59082560582b613a65120dcde6c3c4897
SHA1e8d50dfc85abe2aa00a51d917f35487c25e711c4
SHA2563e324d0ff36a51529101b45bb9102260292a6bbb6ffbf55d01fea881cc038704
SHA512180c1025f16d0e227e432ed7bb3c52ca0bcecd5a8390e6d3af28a2425cc1e31801dbd6df377c2abcc982c3a06f15940a654bd6b488e8d595ee41de5a56e1ef2f
-
Filesize
269KB
MD5574207deb7e8e0c016fe25a825e9ed90
SHA1c98fab2efd8a759da5e49e86644cc9ba21936d6f
SHA256de78464ddca54d3695aa7010ed9d9972d899d76000fd4b4feaa30e756f30bdd7
SHA512d99b762c86fd3d12fac0acb889462fe82ee9d4221b65d984a0c42fff05f14be0cbabfab7f2138eed477edd63f81e9541f386f637e767c86c7c049cfb4ff62bce
-
Filesize
1.1MB
MD52b2666ebfdc9adfd2fc1a0d8a84d2f75
SHA186a788663a2fb29441e3bb4aa823b609274d85f0
SHA256d16f59ebdd3b51758a753c1503298fe0bd14217e0c8ca648259eff247f4cd403
SHA5125e8ae5ec4d2a89b38f2b57408e90286ec9a4add5adc042ca95e2169f54280b7737e47dd811e53536ff0b3913b2ea692fba87cd799c168f4f51b3a696de45a2d1
-
Filesize
512B
MD514ed47f526671c43880f44b6c4b6fc83
SHA1687323418a481503326bf7daf95ce722adcfbec4
SHA2567d37fd2c4ce79dd8decfb14fd1390f4d7867af812204865fc91194b63ef4c1c9
SHA512212614fa1b92a3e5520ca91442d6d21eebfd479f50bba032b320bea3d367a26f4296e08c7474bf2e03f1720dacbd5697eb8113a7102b8a10d76273b0c93a495c