Analysis
-
max time kernel
145s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
06-03-2024 16:29
General
-
Target
b7db02446d1f0cc21a2259227b021313.exe
-
Size
262KB
-
MD5
b7db02446d1f0cc21a2259227b021313
-
SHA1
77099382728356ad71d80226c90754a75e29fb06
-
SHA256
b33bc799128d0e630270f09393c5f4dae1867782fbde21db3d7f6d5f945625d2
-
SHA512
10ab722f5369e22357530ab73e6416e4ed616ffd5c29ea3f520b5830bd316e5ec9689c588ba95288dc09a0cc4c840c6abeb2c84823839606dc029a9f6d0c94e0
-
SSDEEP
6144:Sw+HQu1he+ERDoXJpGur3sKP2V9lVp5c8h:CB1he+bZXr3sKPsxc8h
Malware Config
Extracted
redline
youngboy
176.57.69.178:59510
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7db02446d1f0cc21a2259227b021313.exe"C:\Users\Admin\AppData\Local\Temp\b7db02446d1f0cc21a2259227b021313.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b7db02446d1f0cc21a2259227b021313.exeC:\Users\Admin\AppData\Local\Temp\b7db02446d1f0cc21a2259227b021313.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b7db02446d1f0cc21a2259227b021313.exe.logFilesize
605B
MD53654bd2c6957761095206ffdf92b0cb9
SHA16f10f7b5867877de7629afcff644c265e79b4ad3
SHA256c2a4be94cf4ed33d698d9838f4ffb47047da796e733ec11562463a1621212ab4
SHA512e2a81248cca7732ce098088d5237897493fd3629e28d66bc13e5f9191f72cd52893f4a53905906af12d5c6de475738b6c7f6b718a32869e9ee0deb3a54672f79
-
memory/744-13-0x0000000004EB0000-0x0000000004EEC000-memory.dmpFilesize
240KB
-
memory/744-15-0x0000000004EF0000-0x0000000004F3C000-memory.dmpFilesize
304KB
-
memory/744-18-0x0000000004FD0000-0x0000000004FE0000-memory.dmpFilesize
64KB
-
memory/744-17-0x0000000074D30000-0x00000000754E0000-memory.dmpFilesize
7.7MB
-
memory/744-11-0x0000000005450000-0x0000000005A68000-memory.dmpFilesize
6.1MB
-
memory/744-6-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/744-16-0x0000000005160000-0x000000000526A000-memory.dmpFilesize
1.0MB
-
memory/744-12-0x0000000004E50000-0x0000000004E62000-memory.dmpFilesize
72KB
-
memory/744-14-0x0000000004FD0000-0x0000000004FE0000-memory.dmpFilesize
64KB
-
memory/744-10-0x0000000074D30000-0x00000000754E0000-memory.dmpFilesize
7.7MB
-
memory/1584-5-0x0000000004AE0000-0x0000000004AFE000-memory.dmpFilesize
120KB
-
memory/1584-0-0x00000000001D0000-0x0000000000214000-memory.dmpFilesize
272KB
-
memory/1584-3-0x0000000004A70000-0x0000000004A90000-memory.dmpFilesize
128KB
-
memory/1584-2-0x0000000004BC0000-0x0000000004BD0000-memory.dmpFilesize
64KB
-
memory/1584-1-0x0000000074D30000-0x00000000754E0000-memory.dmpFilesize
7.7MB
-
memory/1584-4-0x0000000004B10000-0x0000000004B86000-memory.dmpFilesize
472KB
-
memory/1584-9-0x0000000074D30000-0x00000000754E0000-memory.dmpFilesize
7.7MB