redline | 8a269b9cb003cde07e1b18b16cc59384343be9a9cb5ab71cb6f82ee5e2cd130b

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eef6d2361a4ba46c76fc7390211ef50.exe
Size

497KB
MD5

8eef6d2361a4ba46c76fc7390211ef50
SHA1

80d740edde7fffbd05ebaafbcf6d7bb8a02ad016
SHA256

8a269b9cb003cde07e1b18b16cc59384343be9a9cb5ab71cb6f82ee5e2cd130b
SHA512

95ce5f64b443158c2c5cce1d43431a099257c5d49e52d8a17f178df32c69c143ad0d46c8682cc4ff521639c05fc44bdd0ce414f994087cfd524f9d0d9d021513
SSDEEP

6144:e33nzsAF7YrlbTyeaheHhpz85ka+wxdLsb/:OjsAF7YrlbO3hi9wsj

Score

10^/10

redline sectoprat 3 infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

45.88.107.116:44061

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4552-9-0x0000000000400000-0x000000000042C000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4552-9-0x0000000000400000-0x000000000042C000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

Processes:

8eef6d2361a4ba46c76fc7390211ef50.exe

description pid process target process

PID 468 set thread context of 4552 468 8eef6d2361a4ba46c76fc7390211ef50.exe 8eef6d2361a4ba46c76fc7390211ef50.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4460 468 WerFault.exe 8eef6d2361a4ba46c76fc7390211ef50.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8eef6d2361a4ba46c76fc7390211ef50.exe

description pid process

Token: SeDebugPrivilege 468 8eef6d2361a4ba46c76fc7390211ef50.exe

description	pid	process	target process
PID 468 set thread context of 4552	468	8eef6d2361a4ba46c76fc7390211ef50.exe	8eef6d2361a4ba46c76fc7390211ef50.exe

pid	pid_target	process	target process
4460	468	WerFault.exe	8eef6d2361a4ba46c76fc7390211ef50.exe

description	pid	process
Token: SeDebugPrivilege	468	8eef6d2361a4ba46c76fc7390211ef50.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8eef6d2361a4ba46c76fc7390211ef50.exe

description	pid	process	target process
PID 468 wrote to memory of 4552	468	8eef6d2361a4ba46c76fc7390211ef50.exe	8eef6d2361a4ba46c76fc7390211ef50.exe
PID 468 wrote to memory of 4552	468	8eef6d2361a4ba46c76fc7390211ef50.exe	8eef6d2361a4ba46c76fc7390211ef50.exe
PID 468 wrote to memory of 4552	468	8eef6d2361a4ba46c76fc7390211ef50.exe	8eef6d2361a4ba46c76fc7390211ef50.exe
PID 468 wrote to memory of 4552	468	8eef6d2361a4ba46c76fc7390211ef50.exe	8eef6d2361a4ba46c76fc7390211ef50.exe
PID 468 wrote to memory of 4552	468	8eef6d2361a4ba46c76fc7390211ef50.exe	8eef6d2361a4ba46c76fc7390211ef50.exe
PID 468 wrote to memory of 4552	468	8eef6d2361a4ba46c76fc7390211ef50.exe	8eef6d2361a4ba46c76fc7390211ef50.exe
PID 468 wrote to memory of 4552	468	8eef6d2361a4ba46c76fc7390211ef50.exe	8eef6d2361a4ba46c76fc7390211ef50.exe
PID 468 wrote to memory of 4552	468	8eef6d2361a4ba46c76fc7390211ef50.exe	8eef6d2361a4ba46c76fc7390211ef50.exe

C:\Users\Admin\AppData\Local\Temp\8eef6d2361a4ba46c76fc7390211ef50.exe
"C:\Users\Admin\AppData\Local\Temp\8eef6d2361a4ba46c76fc7390211ef50.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468

C:\Users\Admin\AppData\Local\Temp\8eef6d2361a4ba46c76fc7390211ef50.exe
"C:\Users\Admin\AppData\Local\Temp\8eef6d2361a4ba46c76fc7390211ef50.exe"
2⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1112
2⤵
- Program crash
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 468 -ip 468
1⤵
PID:3256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/468-19-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/468-1-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/468-2-0x0000000004E20000-0x0000000004EBC000-memory.dmp

Filesize
624KB

Download
memory/468-3-0x0000000005530000-0x0000000005AD4000-memory.dmp

Filesize
5.6MB

Download
memory/468-4-0x0000000004F80000-0x0000000005012000-memory.dmp

Filesize
584KB

Download
memory/468-5-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/468-6-0x0000000004F40000-0x0000000004F4A000-memory.dmp

Filesize
40KB

Download
memory/468-7-0x0000000005170000-0x00000000051C6000-memory.dmp

Filesize
344KB

Download
memory/468-8-0x0000000005130000-0x000000000514E000-memory.dmp

Filesize
120KB

Download
memory/468-10-0x0000000005240000-0x0000000005248000-memory.dmp

Filesize
32KB

Download
memory/468-0-0x0000000000570000-0x00000000005F0000-memory.dmp

Filesize
512KB

Download
memory/4552-9-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4552-13-0x00000000052E0000-0x00000000058F8000-memory.dmp

Filesize
6.1MB

Download
memory/4552-14-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/4552-15-0x0000000004E30000-0x0000000004F3A000-memory.dmp

Filesize
1.0MB

Download
memory/4552-16-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4552-17-0x0000000004D60000-0x0000000004D9C000-memory.dmp

Filesize
240KB

Download
memory/4552-18-0x0000000004DA0000-0x0000000004DEC000-memory.dmp

Filesize
304KB

Download
memory/4552-12-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/4552-20-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/4552-21-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download