Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2024, 16:51

General

  • Target

    59399529325fbd4c34a031efe298277b.exe

  • Size

    351KB

  • MD5

    59399529325fbd4c34a031efe298277b

  • SHA1

    861997ddb05e50afdc899c8aae4ea958852b4def

  • SHA256

    a7dd08771e0b61f4adc9071bf6de08518be1b7260e631aac85eebf02dc28be3a

  • SHA512

    6c1a5ac2d97ee7fc5339a47914ea5fe5d57caf7d786ff50eee3149068a2cf7928c1df46ad0cc803b98470c6601ca27cbf6d9daf41d5737b9bd54f3b50673390a

  • SSDEEP

    6144:NaIgsPIvmVYSTEMt6ZeaeTgey3aB3t84AOX+9kzoYvFdaY+3Nv5tvo96RXCBlr:NxcmVTTEMt6ZheT+AVsWan3Nv5tg96RG

Malware Config

Extracted

Family

redline

Botnet

@armiaboy

C2

45.133.217.148:65255

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59399529325fbd4c34a031efe298277b.exe
    "C:\Users\Admin\AppData\Local\Temp\59399529325fbd4c34a031efe298277b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:888
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3728
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 252
      2⤵
      • Program crash
      PID:3456
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 888 -ip 888
    1⤵
      PID:4476

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/888-15-0x00000000006D0000-0x000000000072A000-memory.dmp

            Filesize

            360KB

          • memory/888-3-0x00000000006D0000-0x000000000072A000-memory.dmp

            Filesize

            360KB

          • memory/3728-10-0x0000000004C90000-0x0000000004CA2000-memory.dmp

            Filesize

            72KB

          • memory/3728-7-0x00000000050A0000-0x0000000005644000-memory.dmp

            Filesize

            5.6MB

          • memory/3728-8-0x0000000004BD0000-0x0000000004C62000-memory.dmp

            Filesize

            584KB

          • memory/3728-9-0x0000000005C70000-0x0000000006288000-memory.dmp

            Filesize

            6.1MB

          • memory/3728-0-0x0000000000170000-0x000000000018E000-memory.dmp

            Filesize

            120KB

          • memory/3728-11-0x0000000004E70000-0x0000000004EAC000-memory.dmp

            Filesize

            240KB

          • memory/3728-12-0x0000000004E60000-0x0000000004E70000-memory.dmp

            Filesize

            64KB

          • memory/3728-13-0x00000000059F0000-0x0000000005A3C000-memory.dmp

            Filesize

            304KB

          • memory/3728-14-0x00000000074F0000-0x00000000075FA000-memory.dmp

            Filesize

            1.0MB

          • memory/3728-6-0x00000000744E0000-0x0000000074C90000-memory.dmp

            Filesize

            7.7MB

          • memory/3728-16-0x00000000744E0000-0x0000000074C90000-memory.dmp

            Filesize

            7.7MB

          • memory/3728-17-0x0000000004E60000-0x0000000004E70000-memory.dmp

            Filesize

            64KB