Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2024, 16:51
Static task
static1
Behavioral task
behavioral1
Sample
59399529325fbd4c34a031efe298277b.exe
Resource
win7-20231129-en
0 signatures
150 seconds
General
-
Target
59399529325fbd4c34a031efe298277b.exe
-
Size
351KB
-
MD5
59399529325fbd4c34a031efe298277b
-
SHA1
861997ddb05e50afdc899c8aae4ea958852b4def
-
SHA256
a7dd08771e0b61f4adc9071bf6de08518be1b7260e631aac85eebf02dc28be3a
-
SHA512
6c1a5ac2d97ee7fc5339a47914ea5fe5d57caf7d786ff50eee3149068a2cf7928c1df46ad0cc803b98470c6601ca27cbf6d9daf41d5737b9bd54f3b50673390a
-
SSDEEP
6144:NaIgsPIvmVYSTEMt6ZeaeTgey3aB3t84AOX+9kzoYvFdaY+3Nv5tvo96RXCBlr:NxcmVTTEMt6ZheT+AVsWan3Nv5tg96RG
Malware Config
Extracted
Family
redline
Botnet
@armiaboy
C2
45.133.217.148:65255
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/3728-0-0x0000000000170000-0x000000000018E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/3728-0-0x0000000000170000-0x000000000018E000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 888 set thread context of 3728 888 59399529325fbd4c34a031efe298277b.exe 104 -
Program crash 1 IoCs
pid pid_target Process procid_target 3456 888 WerFault.exe 74 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3728 RegSvcs.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 888 wrote to memory of 3728 888 59399529325fbd4c34a031efe298277b.exe 104 PID 888 wrote to memory of 3728 888 59399529325fbd4c34a031efe298277b.exe 104 PID 888 wrote to memory of 3728 888 59399529325fbd4c34a031efe298277b.exe 104 PID 888 wrote to memory of 3728 888 59399529325fbd4c34a031efe298277b.exe 104 PID 888 wrote to memory of 3728 888 59399529325fbd4c34a031efe298277b.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\59399529325fbd4c34a031efe298277b.exe"C:\Users\Admin\AppData\Local\Temp\59399529325fbd4c34a031efe298277b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 2522⤵
- Program crash
PID:3456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 888 -ip 8881⤵PID:4476