Malware Analysis Report

2024-08-06 17:51

Sample ID 240224-eee4jshc4v
Target a0dfd4af2c176679731bb4ac406333be
SHA256 1ee024f712833ad9885e44c3e9a8b14a22de1769adb94a0aab6577c36c4d10c2
Tags
redline sectoprat test infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ee024f712833ad9885e44c3e9a8b14a22de1769adb94a0aab6577c36c4d10c2

Threat Level: Known bad

The file a0dfd4af2c176679731bb4ac406333be was found to be: Known bad.

Malicious Activity Summary

redline sectoprat test infostealer rat trojan

RedLine

RedLine payload

SectopRAT

SectopRAT payload

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-24 03:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-24 03:50

Reported

2024-02-24 03:53

Platform

win7-20240221-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0dfd4af2c176679731bb4ac406333be.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a0dfd4af2c176679731bb4ac406333be.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a0dfd4af2c176679731bb4ac406333be.exe

"C:\Users\Admin\AppData\Local\Temp\a0dfd4af2c176679731bb4ac406333be.exe"

Network

Country Destination Domain Proto
FR 193.56.146.78:54955 tcp
FR 193.56.146.78:54955 tcp
FR 193.56.146.78:54955 tcp
FR 193.56.146.78:54955 tcp
FR 193.56.146.78:54955 tcp
FR 193.56.146.78:54955 tcp

Files

memory/1812-1-0x0000000000AF0000-0x0000000000BF0000-memory.dmp

memory/1812-2-0x0000000000220000-0x000000000024F000-memory.dmp

memory/1812-3-0x0000000000400000-0x0000000000915000-memory.dmp

memory/1812-5-0x0000000073F80000-0x000000007466E000-memory.dmp

memory/1812-4-0x0000000000360000-0x0000000000382000-memory.dmp

memory/1812-6-0x0000000004E60000-0x0000000004EA0000-memory.dmp

memory/1812-7-0x0000000004E60000-0x0000000004EA0000-memory.dmp

memory/1812-8-0x0000000000970000-0x0000000000990000-memory.dmp

memory/1812-9-0x0000000004E60000-0x0000000004EA0000-memory.dmp

memory/1812-10-0x0000000000220000-0x000000000024F000-memory.dmp

memory/1812-11-0x0000000000400000-0x0000000000915000-memory.dmp

memory/1812-12-0x0000000000AF0000-0x0000000000BF0000-memory.dmp

memory/1812-13-0x0000000073F80000-0x000000007466E000-memory.dmp

memory/1812-14-0x0000000004E60000-0x0000000004EA0000-memory.dmp

memory/1812-16-0x0000000004E60000-0x0000000004EA0000-memory.dmp

memory/1812-17-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-24 03:50

Reported

2024-02-24 03:54

Platform

win10v2004-20240221-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0dfd4af2c176679731bb4ac406333be.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a0dfd4af2c176679731bb4ac406333be.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a0dfd4af2c176679731bb4ac406333be.exe

"C:\Users\Admin\AppData\Local\Temp\a0dfd4af2c176679731bb4ac406333be.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FR 193.56.146.78:54955 tcp
FR 193.56.146.78:54955 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
FR 193.56.146.78:54955 tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
FR 193.56.146.78:54955 tcp
FR 193.56.146.78:54955 tcp
FR 193.56.146.78:54955 tcp

Files

memory/2468-1-0x0000000000B90000-0x0000000000C90000-memory.dmp

memory/2468-2-0x00000000001C0000-0x00000000001EF000-memory.dmp

memory/2468-3-0x0000000000400000-0x0000000000915000-memory.dmp

memory/2468-4-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/2468-5-0x0000000002900000-0x0000000002922000-memory.dmp

memory/2468-6-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/2468-7-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/2468-8-0x00000000052D0000-0x0000000005874000-memory.dmp

memory/2468-9-0x0000000002AA0000-0x0000000002AC0000-memory.dmp

memory/2468-10-0x0000000005880000-0x0000000005E98000-memory.dmp

memory/2468-11-0x0000000002C60000-0x0000000002C72000-memory.dmp

memory/2468-12-0x0000000002C80000-0x0000000002CBC000-memory.dmp

memory/2468-13-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/2468-14-0x0000000005130000-0x000000000517C000-memory.dmp

memory/2468-15-0x0000000005EA0000-0x0000000005FAA000-memory.dmp

memory/2468-16-0x0000000000B90000-0x0000000000C90000-memory.dmp

memory/2468-17-0x0000000000400000-0x0000000000915000-memory.dmp

memory/2468-18-0x00000000001C0000-0x00000000001EF000-memory.dmp

memory/2468-19-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/2468-21-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/2468-22-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/2468-23-0x00000000052C0000-0x00000000052D0000-memory.dmp