redline | 4869e227dc7fd28afeab3a5e42322e1069c712578d0ce5ced4f6862fbbafd587

Analysis

max time kernel
147s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0680a1de10066f640fd52149343d384.exe
Size

699KB
MD5

a0680a1de10066f640fd52149343d384
SHA1

9271108efe8c31da2a886ec2e33d224b26fd1175
SHA256

4869e227dc7fd28afeab3a5e42322e1069c712578d0ce5ced4f6862fbbafd587
SHA512

a9fe4b00829987a9a531d049bdefd697c8c0d04b181045a6ccd71c44e5d453f06600c0fb988c3841e1f614ac9e8cf9d334a8da086fd525cd5aa84434f7078418
SSDEEP

12288:LIj1q8+8Y61RgSvmQ/gbiMhP+HXCuHB7ENoefNsrp+i7hvMHvXRc4Mhws4D9:8qj8Y6fgomog2Md+HXhZENosNjiFB4Mg

Score

10^/10

redline sectoprat rustmacros infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

RustMacros

135.181.175.182:10628

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1468-1-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1468-1-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3952 set thread context of 1468	3952	a0680a1de10066f640fd52149343d384.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
868	3952	WerFault.exe	48

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	RegSvcs.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 1468	3952	a0680a1de10066f640fd52149343d384.exe	89
PID 3952 wrote to memory of 1468	3952	a0680a1de10066f640fd52149343d384.exe	89
PID 3952 wrote to memory of 1468	3952	a0680a1de10066f640fd52149343d384.exe	89
PID 3952 wrote to memory of 1468	3952	a0680a1de10066f640fd52149343d384.exe	89
PID 3952 wrote to memory of 1468	3952	a0680a1de10066f640fd52149343d384.exe	89

C:\Users\Admin\AppData\Local\Temp\a0680a1de10066f640fd52149343d384.exe
"C:\Users\Admin\AppData\Local\Temp\a0680a1de10066f640fd52149343d384.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 276
  2⤵
  - Program crash
  PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3952 -ip 3952
1⤵
PID:3840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1468-11-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1468-7-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/1468-8-0x0000000005020000-0x00000000055C4000-memory.dmp

Filesize
5.6MB

Download
memory/1468-9-0x0000000005BF0000-0x0000000006208000-memory.dmp

Filesize
6.1MB

Download
memory/1468-10-0x0000000004BF0000-0x0000000004C82000-memory.dmp

Filesize
584KB

Download
memory/1468-1-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1468-12-0x0000000004E20000-0x0000000004E5C000-memory.dmp

Filesize
240KB

Download
memory/1468-14-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/1468-13-0x0000000005960000-0x00000000059AC000-memory.dmp

Filesize
304KB

Download
memory/1468-15-0x0000000007470000-0x000000000757A000-memory.dmp

Filesize
1.0MB

Download
memory/1468-16-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/1468-17-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/3952-4-0x0000000001000000-0x0000000001100000-memory.dmp

Filesize
1024KB

Download