redline | 8ed3614337b30b6f52623f70618a84fa64fe6404a2592b1bca3b4c81506e4b6a

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b49e1e828ca85a5ba4232536589ae8a2.exe
Size

1.2MB
MD5

b49e1e828ca85a5ba4232536589ae8a2
SHA1

1bb799fbcf26121be3f67384b662cc22f0955878
SHA256

8ed3614337b30b6f52623f70618a84fa64fe6404a2592b1bca3b4c81506e4b6a
SHA512

fc974b107f7c5eee416baa7a9386cca5cf2675edec78bd4410f0773abcab7264041e4fe16f4fc84a59e3535080266dab9da6d7d0e195e5dce5f060d408a08165
SSDEEP

24576:99qHeJtAb2DxPeuXe7gmS3yfNsBkofce/z2p0L/rN4krwVf:lHFUuO7bS3ksBp72pAqG

Score

10^/10

redline sectoprat bugatti infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

Bugatti

45.88.3.176:17033

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2792-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2792-9-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1124 set thread context of 2792	1124	b49e1e828ca85a5ba4232536589ae8a2.exe	96

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1124	b49e1e828ca85a5ba4232536589ae8a2.exe
Token: SeDebugPrivilege	2792	b49e1e828ca85a5ba4232536589ae8a2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 2792	1124	b49e1e828ca85a5ba4232536589ae8a2.exe	96
PID 1124 wrote to memory of 2792	1124	b49e1e828ca85a5ba4232536589ae8a2.exe	96
PID 1124 wrote to memory of 2792	1124	b49e1e828ca85a5ba4232536589ae8a2.exe	96
PID 1124 wrote to memory of 2792	1124	b49e1e828ca85a5ba4232536589ae8a2.exe	96
PID 1124 wrote to memory of 2792	1124	b49e1e828ca85a5ba4232536589ae8a2.exe	96
PID 1124 wrote to memory of 2792	1124	b49e1e828ca85a5ba4232536589ae8a2.exe	96
PID 1124 wrote to memory of 2792	1124	b49e1e828ca85a5ba4232536589ae8a2.exe	96
PID 1124 wrote to memory of 2792	1124	b49e1e828ca85a5ba4232536589ae8a2.exe	96

C:\Users\Admin\AppData\Local\Temp\b49e1e828ca85a5ba4232536589ae8a2.exe
"C:\Users\Admin\AppData\Local\Temp\b49e1e828ca85a5ba4232536589ae8a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\b49e1e828ca85a5ba4232536589ae8a2.exe
  C:\Users\Admin\AppData\Local\Temp\b49e1e828ca85a5ba4232536589ae8a2.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b49e1e828ca85a5ba4232536589ae8a2.exe.log

Filesize
1KB

MD5
7691b76d082c036117114f9bec9e9142

SHA1
63a8ed6db4700c9379b2373778a5b256f3b46766

SHA256
e74e3413956f70b36eac1225af454552017ac540bb5756ff571cc2eb6134c7ed

SHA512
8a5da9db3c9c85161030a3094120b9e32db1e9587229742e9a2729cb564ec4633804a79e818f1c12276bd743aadd2c9596a44fec023c770032009afe2cf51f9c

Download Submit
memory/1124-5-0x0000000005460000-0x00000000054F2000-memory.dmp

Filesize
584KB

Download
memory/1124-15-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/1124-3-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/1124-4-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/1124-0-0x0000000000840000-0x000000000097A000-memory.dmp

Filesize
1.2MB

Download
memory/1124-6-0x00000000053D0000-0x00000000053DA000-memory.dmp

Filesize
40KB

Download
memory/1124-8-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/1124-7-0x00000000057A0000-0x00000000057C8000-memory.dmp

Filesize
160KB

Download
memory/1124-12-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/1124-1-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/1124-2-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/2792-13-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/2792-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2792-16-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/2792-14-0x0000000005910000-0x0000000005F28000-memory.dmp

Filesize
6.1MB

Download
memory/2792-17-0x0000000005410000-0x000000000544C000-memory.dmp

Filesize
240KB

Download
memory/2792-18-0x0000000005450000-0x000000000549C000-memory.dmp

Filesize
304KB

Download
memory/2792-19-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/2792-20-0x00000000056E0000-0x00000000057EA000-memory.dmp

Filesize
1.0MB

Download
memory/2792-21-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/2792-22-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download