Analysis
-
max time kernel
155s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14/01/2024, 07:23
Static task
static1
Behavioral task
behavioral1
Sample
5aa0f6fe71bfa5d534e6b0c54181aed1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5aa0f6fe71bfa5d534e6b0c54181aed1.exe
Resource
win10v2004-20231215-en
General
-
Target
5aa0f6fe71bfa5d534e6b0c54181aed1.exe
-
Size
399KB
-
MD5
5aa0f6fe71bfa5d534e6b0c54181aed1
-
SHA1
fe113ced2df6f9b01c617a039a6e040f7e935dac
-
SHA256
540696411a1e0440408c5372571ad0ff5e67230d62cbd8533b6338e03b85cf79
-
SHA512
f7d110169e74ca8ce09aa67fd1b56567f1d42fdcebe822c4d608dde7300e441db68e6b51213d49a5c40d006ef20db4ff74689c33f37814d2267a3689f6e878b6
-
SSDEEP
6144:lJCUD10/h1zbK9j32mBgwlsSJHY5yF9Ml1dXsbe9VKNTsJRJggT:5qEFXlLHY5M6sbe9VKN8RJfT
Malware Config
Extracted
redline
@a0867183086d949f0c153b3bbcf46510
95.215.207.185:64399
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 7 IoCs
resource yara_rule behavioral1/memory/2472-12-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2472-14-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2472-18-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2472-23-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2472-21-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2472-25-0x0000000000D50000-0x0000000000D90000-memory.dmp family_redline behavioral1/memory/2472-27-0x0000000000D50000-0x0000000000D90000-memory.dmp family_redline -
SectopRAT payload 7 IoCs
resource yara_rule behavioral1/memory/2472-12-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2472-14-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2472-18-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2472-23-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2472-21-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2472-25-0x0000000000D50000-0x0000000000D90000-memory.dmp family_sectoprat behavioral1/memory/2472-27-0x0000000000D50000-0x0000000000D90000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1728 set thread context of 2472 1728 5aa0f6fe71bfa5d534e6b0c54181aed1.exe 29 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2472 5aa0f6fe71bfa5d534e6b0c54181aed1.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2472 1728 5aa0f6fe71bfa5d534e6b0c54181aed1.exe 29 PID 1728 wrote to memory of 2472 1728 5aa0f6fe71bfa5d534e6b0c54181aed1.exe 29 PID 1728 wrote to memory of 2472 1728 5aa0f6fe71bfa5d534e6b0c54181aed1.exe 29 PID 1728 wrote to memory of 2472 1728 5aa0f6fe71bfa5d534e6b0c54181aed1.exe 29 PID 1728 wrote to memory of 2472 1728 5aa0f6fe71bfa5d534e6b0c54181aed1.exe 29 PID 1728 wrote to memory of 2472 1728 5aa0f6fe71bfa5d534e6b0c54181aed1.exe 29 PID 1728 wrote to memory of 2472 1728 5aa0f6fe71bfa5d534e6b0c54181aed1.exe 29 PID 1728 wrote to memory of 2472 1728 5aa0f6fe71bfa5d534e6b0c54181aed1.exe 29 PID 1728 wrote to memory of 2472 1728 5aa0f6fe71bfa5d534e6b0c54181aed1.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5aa0f6fe71bfa5d534e6b0c54181aed1.exe"C:\Users\Admin\AppData\Local\Temp\5aa0f6fe71bfa5d534e6b0c54181aed1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\5aa0f6fe71bfa5d534e6b0c54181aed1.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472
-