Overview

overview

10

Static

static

1

8a1995805a...87.exe

windows7-x64

10

8a1995805a...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2024 17:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a1995805ad65999ec546a1074ac9887.exe

  • Size

    1.6MB

  • MD5

    8a1995805ad65999ec546a1074ac9887

  • SHA1

    11d5589ca5ebb127ea57b89ee5da89e0b64fa4c6

  • SHA256

    2040517dac0b553d4a589bb8c14ca4329022e0ce5e5d0ef0f2c08a2deb10fb5b

  • SHA512

    cad4e187956e4db24d291ea725caf89439440eb97ebe9fa76438b76ada66ecc01a4143bf688c6506ec5148c79338e7f581305d2cb8ad17552c558c62706ae777

  • SSDEEP

    24576:HK+3Ydk145I7qRZPNHNtlGkrmwRGPoN7vdiTbnFMI3YqQl55T:HK+I045xRVNXUIm/PoiMIov

Score
10/10
redlinesectopratmastifinfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

mastif

C2

91.121.146.23:9519

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a1995805ad65999ec546a1074ac9887.exe
    "C:\Users\Admin\AppData\Local\Temp\8a1995805ad65999ec546a1074ac9887.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Users\Admin\AppData\Local\Temp\8a1995805ad65999ec546a1074ac9887.exe
      "C:\Users\Admin\AppData\Local\Temp\8a1995805ad65999ec546a1074ac9887.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8a1995805ad65999ec546a1074ac9887.exe.log
    Filesize

    1KB

    MD5

    e7473990edf901c1e1bef76f6095f55b

    SHA1

    f03b370492bbcc5280982886f9688eb8da762c8f

    SHA256

    5fea4747d97c0dbc097902818ae754eaca7214913a52d3bb1372a6274ce0292a

    SHA512

    ab93f14371dfae858bbad7d98c95055186f60b30937057f71b3d1ad17ab08b5ab7820a33bc5b3e74c485ec38e6b7a1772077add591d313175c10b4ff94bcb689

    Download Submit
  • memory/2748-13-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2748-25-0x0000000005A40000-0x0000000005A50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2748-24-0x0000000074780000-0x0000000074F30000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2748-23-0x0000000005B70000-0x0000000005C7A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2748-22-0x0000000005900000-0x000000000594C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2748-21-0x0000000005A40000-0x0000000005A50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2748-20-0x00000000058C0000-0x00000000058FC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2748-18-0x0000000005DE0000-0x00000000063F8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/2748-19-0x0000000005860000-0x0000000005872000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2748-17-0x0000000074780000-0x0000000074F30000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4944-6-0x00000000050E0000-0x00000000050EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4944-7-0x0000000005340000-0x0000000005396000-memory.dmp
    Filesize

    344KB

    Download
  • memory/4944-11-0x0000000006D10000-0x0000000006D9E000-memory.dmp
    Filesize

    568KB

    Download
  • memory/4944-10-0x0000000005330000-0x0000000005340000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4944-9-0x0000000074780000-0x0000000074F30000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4944-16-0x0000000074780000-0x0000000074F30000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4944-8-0x0000000005420000-0x0000000005432000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4944-12-0x0000000009360000-0x0000000009380000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4944-0-0x00000000004C0000-0x000000000065E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4944-5-0x0000000005330000-0x0000000005340000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4944-4-0x0000000005160000-0x00000000051F2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4944-3-0x0000000005670000-0x0000000005C14000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4944-2-0x0000000005010000-0x00000000050AC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4944-1-0x0000000074780000-0x0000000074F30000-memory.dmp
    Filesize

    7.7MB

    Download