redline | 8ed3614337b30b6f52623f70618a84fa64fe6404a2592b1bca3b4c81506e4b6a

Analysis

max time kernel
126s
max time network
139s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 11:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b49e1e828ca85a5ba4232536589ae8a2.exe
Size

1.2MB
MD5

b49e1e828ca85a5ba4232536589ae8a2
SHA1

1bb799fbcf26121be3f67384b662cc22f0955878
SHA256

8ed3614337b30b6f52623f70618a84fa64fe6404a2592b1bca3b4c81506e4b6a
SHA512

fc974b107f7c5eee416baa7a9386cca5cf2675edec78bd4410f0773abcab7264041e4fe16f4fc84a59e3535080266dab9da6d7d0e195e5dce5f060d408a08165
SSDEEP

24576:99qHeJtAb2DxPeuXe7gmS3yfNsBkofce/z2p0L/rN4krwVf:lHFUuO7bS3ksBp72pAqG

Score

10^/10

redline sectoprat bugatti infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

Bugatti

45.88.3.176:17033

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/2988-5-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2988-7-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2988-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2988-5-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2988-7-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2988-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2352 set thread context of 2988	2352	b49e1e828ca85a5ba4232536589ae8a2.exe	28

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	b49e1e828ca85a5ba4232536589ae8a2.exe
Token: SeDebugPrivilege	2988	b49e1e828ca85a5ba4232536589ae8a2.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2988	2352	b49e1e828ca85a5ba4232536589ae8a2.exe	28
PID 2352 wrote to memory of 2988	2352	b49e1e828ca85a5ba4232536589ae8a2.exe	28
PID 2352 wrote to memory of 2988	2352	b49e1e828ca85a5ba4232536589ae8a2.exe	28
PID 2352 wrote to memory of 2988	2352	b49e1e828ca85a5ba4232536589ae8a2.exe	28
PID 2352 wrote to memory of 2988	2352	b49e1e828ca85a5ba4232536589ae8a2.exe	28
PID 2352 wrote to memory of 2988	2352	b49e1e828ca85a5ba4232536589ae8a2.exe	28
PID 2352 wrote to memory of 2988	2352	b49e1e828ca85a5ba4232536589ae8a2.exe	28
PID 2352 wrote to memory of 2988	2352	b49e1e828ca85a5ba4232536589ae8a2.exe	28
PID 2352 wrote to memory of 2988	2352	b49e1e828ca85a5ba4232536589ae8a2.exe	28

C:\Users\Admin\AppData\Local\Temp\b49e1e828ca85a5ba4232536589ae8a2.exe
"C:\Users\Admin\AppData\Local\Temp\b49e1e828ca85a5ba4232536589ae8a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\b49e1e828ca85a5ba4232536589ae8a2.exe
  C:\Users\Admin\AppData\Local\Temp\b49e1e828ca85a5ba4232536589ae8a2.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2352-0-0x0000000000240000-0x000000000037A000-memory.dmp

Filesize
1.2MB

Download
memory/2352-1-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2352-2-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/2352-3-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2352-4-0x00000000007B0000-0x00000000007D8000-memory.dmp

Filesize
160KB

Download
memory/2352-11-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-5-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2988-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2988-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2988-10-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-12-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/2988-13-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download