redline | 41304c1c586ec32aa4419c81090527cb7f811919174ffddac0f5a0a384cefb9a

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6ff08d9ba3719f53ce0b1faac6e857b.exe
Size

378KB
MD5

b6ff08d9ba3719f53ce0b1faac6e857b
SHA1

01d7cd7e3131cf1c983aac7399e61235031d43c4
SHA256

41304c1c586ec32aa4419c81090527cb7f811919174ffddac0f5a0a384cefb9a
SHA512

cce5b6bb59cfd511eed18095b4e5febed22999a75aa97be923edba379226f682fdc4b78286c86c4d7ae76dfd4e5e087a45de8003c5f44642785f160be4016d1e
SSDEEP

6144:6ylYjxhUfR1GdkJEYPJqtjnsC093bVgOwoM8G4nb:nchsR1GdkJE2JqxnsC093bVgOwoW4nb

Score

10^/10

redline sectoprat focus1 infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

Focus1

135.148.139.222:33569

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4892-6-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4892-6-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

Processes:

b6ff08d9ba3719f53ce0b1faac6e857b.exe

description pid process target process

PID 5104 set thread context of 4892 5104 b6ff08d9ba3719f53ce0b1faac6e857b.exe b6ff08d9ba3719f53ce0b1faac6e857b.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b6ff08d9ba3719f53ce0b1faac6e857b.exe

description pid process

Token: SeDebugPrivilege 4892 b6ff08d9ba3719f53ce0b1faac6e857b.exe

description	pid	process	target process
PID 5104 set thread context of 4892	5104	b6ff08d9ba3719f53ce0b1faac6e857b.exe	b6ff08d9ba3719f53ce0b1faac6e857b.exe

description	pid	process
Token: SeDebugPrivilege	4892	b6ff08d9ba3719f53ce0b1faac6e857b.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

b6ff08d9ba3719f53ce0b1faac6e857b.exe

description	pid	process	target process
PID 5104 wrote to memory of 4892	5104	b6ff08d9ba3719f53ce0b1faac6e857b.exe	b6ff08d9ba3719f53ce0b1faac6e857b.exe
PID 5104 wrote to memory of 4892	5104	b6ff08d9ba3719f53ce0b1faac6e857b.exe	b6ff08d9ba3719f53ce0b1faac6e857b.exe
PID 5104 wrote to memory of 4892	5104	b6ff08d9ba3719f53ce0b1faac6e857b.exe	b6ff08d9ba3719f53ce0b1faac6e857b.exe
PID 5104 wrote to memory of 4892	5104	b6ff08d9ba3719f53ce0b1faac6e857b.exe	b6ff08d9ba3719f53ce0b1faac6e857b.exe
PID 5104 wrote to memory of 4892	5104	b6ff08d9ba3719f53ce0b1faac6e857b.exe	b6ff08d9ba3719f53ce0b1faac6e857b.exe
PID 5104 wrote to memory of 4892	5104	b6ff08d9ba3719f53ce0b1faac6e857b.exe	b6ff08d9ba3719f53ce0b1faac6e857b.exe
PID 5104 wrote to memory of 4892	5104	b6ff08d9ba3719f53ce0b1faac6e857b.exe	b6ff08d9ba3719f53ce0b1faac6e857b.exe
PID 5104 wrote to memory of 4892	5104	b6ff08d9ba3719f53ce0b1faac6e857b.exe	b6ff08d9ba3719f53ce0b1faac6e857b.exe

C:\Users\Admin\AppData\Local\Temp\b6ff08d9ba3719f53ce0b1faac6e857b.exe
"C:\Users\Admin\AppData\Local\Temp\b6ff08d9ba3719f53ce0b1faac6e857b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5104

C:\Users\Admin\AppData\Local\Temp\b6ff08d9ba3719f53ce0b1faac6e857b.exe
C:\Users\Admin\AppData\Local\Temp\b6ff08d9ba3719f53ce0b1faac6e857b.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b6ff08d9ba3719f53ce0b1faac6e857b.exe.log
Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
memory/4892-13-0x0000000004E50000-0x0000000004E8C000-memory.dmp

Filesize
240KB

Download
memory/4892-15-0x0000000004E90000-0x0000000004EDC000-memory.dmp

Filesize
304KB

Download
memory/4892-11-0x0000000005310000-0x0000000005928000-memory.dmp

Filesize
6.1MB

Download
memory/4892-18-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4892-17-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/4892-6-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4892-16-0x0000000005100000-0x000000000520A000-memory.dmp

Filesize
1.0MB

Download
memory/4892-12-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4892-14-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4892-9-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/5104-5-0x0000000005BB0000-0x0000000006154000-memory.dmp

Filesize
5.6MB

Download
memory/5104-0-0x00000000009E0000-0x0000000000A44000-memory.dmp

Filesize
400KB

Download
memory/5104-3-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/5104-2-0x00000000053C0000-0x0000000005436000-memory.dmp

Filesize
472KB

Download
memory/5104-1-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/5104-10-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/5104-4-0x0000000005360000-0x000000000537E000-memory.dmp

Filesize
120KB

Download