Analysis Overview

score

10^/10

SHA256

93e2455a56c74a3f37f69fd8c918922fd5f32d1055f874f626bff8dc9203754e

Threat Level: Known bad

The file de5db6c4f43175526bc82bab48124b2e was found to be: Known bad.

Malicious Activity Summary

redline sectoprat sewpalpadin infostealer rat trojan

RedLine

RedLine payload

SectopRAT

SectopRAT payload

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-25 15:44

Signatures

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 15:44

Reported

2024-03-25 15:46

Platform

win7-20240221-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de5db6c4f43175526bc82bab48124b2e.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\de5db6c4f43175526bc82bab48124b2e.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\de5db6c4f43175526bc82bab48124b2e.exe

"C:\Users\Admin\AppData\Local\Temp\de5db6c4f43175526bc82bab48124b2e.exe"

Network

Country	Destination	Domain	Proto
RU	185.215.113.114:8887		tcp
RU	185.215.113.114:8887		tcp
RU	185.215.113.114:8887		tcp
RU	185.215.113.114:8887		tcp
RU	185.215.113.114:8887		tcp
RU	185.215.113.114:8887		tcp
RU	185.215.113.114:8887		tcp

Files

memory/3024-1-0x00000000032E0000-0x00000000033E0000-memory.dmp

memory/3024-2-0x00000000002A0000-0x00000000002CF000-memory.dmp

memory/3024-3-0x00000000032C0000-0x00000000032E0000-memory.dmp

memory/3024-4-0x0000000000400000-0x0000000003261000-memory.dmp

memory/3024-5-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

memory/3024-6-0x0000000074830000-0x0000000074F1E000-memory.dmp

memory/3024-7-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

memory/3024-8-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

memory/3024-9-0x0000000004E60000-0x0000000004E7E000-memory.dmp

memory/3024-10-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

memory/3024-11-0x0000000000400000-0x0000000003261000-memory.dmp

memory/3024-12-0x00000000002A0000-0x00000000002CF000-memory.dmp

memory/3024-13-0x00000000032E0000-0x00000000033E0000-memory.dmp

memory/3024-15-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

memory/3024-16-0x0000000074830000-0x0000000074F1E000-memory.dmp

memory/3024-17-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

memory/3024-18-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

memory/3024-20-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 15:44

Reported

2024-03-25 15:46

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de5db6c4f43175526bc82bab48124b2e.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\de5db6c4f43175526bc82bab48124b2e.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\de5db6c4f43175526bc82bab48124b2e.exe

"C:\Users\Admin\AppData\Local\Temp\de5db6c4f43175526bc82bab48124b2e.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	140.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	186.178.17.96.in-addr.arpa	udp
US	8.8.8.8:53	13.86.106.20.in-addr.arpa	udp
US	8.8.8.8:53	9.228.82.20.in-addr.arpa	udp
US	8.8.8.8:53	55.36.223.20.in-addr.arpa	udp
RU	185.215.113.114:8887		tcp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
US	8.8.8.8:53	41.110.16.96.in-addr.arpa	udp
US	8.8.8.8:53	228.249.119.40.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	183.142.211.20.in-addr.arpa	udp
US	8.8.8.8:53	195.177.78.104.in-addr.arpa	udp
US	8.8.8.8:53	119.110.54.20.in-addr.arpa	udp
RU	185.215.113.114:8887		tcp
US	8.8.8.8:53	209.178.17.96.in-addr.arpa	udp
US	8.8.8.8:53	217.135.221.88.in-addr.arpa	udp
US	8.8.8.8:53	64.134.221.88.in-addr.arpa	udp
RU	185.215.113.114:8887		tcp
US	8.8.8.8:53	204.178.17.96.in-addr.arpa	udp
US	8.8.8.8:53	207.178.17.96.in-addr.arpa	udp
RU	185.215.113.114:8887		tcp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
RU	185.215.113.114:8887		tcp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	200.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	184.178.17.96.in-addr.arpa	udp
RU	185.215.113.114:8887		tcp
RU	185.215.113.114:8887		tcp
GB	96.17.178.184:80		tcp

Files

memory/4028-1-0x00000000034C0000-0x00000000035C0000-memory.dmp

memory/4028-2-0x0000000004FB0000-0x0000000004FDF000-memory.dmp

memory/4028-3-0x0000000005260000-0x0000000005280000-memory.dmp

memory/4028-4-0x0000000000400000-0x0000000003261000-memory.dmp

memory/4028-6-0x0000000007AA0000-0x0000000007AB0000-memory.dmp

memory/4028-5-0x0000000007AB0000-0x0000000008054000-memory.dmp

memory/4028-9-0x00000000054F0000-0x000000000550E000-memory.dmp

memory/4028-8-0x0000000007AA0000-0x0000000007AB0000-memory.dmp

memory/4028-7-0x0000000007AA0000-0x0000000007AB0000-memory.dmp

memory/4028-11-0x0000000008060000-0x0000000008678000-memory.dmp

memory/4028-10-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/4028-12-0x0000000007A00000-0x0000000007A12000-memory.dmp

memory/4028-13-0x0000000007A20000-0x0000000007A5C000-memory.dmp

memory/4028-14-0x0000000007AA0000-0x0000000007AB0000-memory.dmp

memory/4028-15-0x0000000008680000-0x00000000086CC000-memory.dmp

memory/4028-16-0x00000000087F0000-0x00000000088FA000-memory.dmp

memory/4028-17-0x0000000000400000-0x0000000003261000-memory.dmp

memory/4028-18-0x0000000004FB0000-0x0000000004FDF000-memory.dmp

memory/4028-19-0x00000000034C0000-0x00000000035C0000-memory.dmp

memory/4028-23-0x0000000007AA0000-0x0000000007AB0000-memory.dmp

memory/4028-22-0x0000000007AA0000-0x0000000007AB0000-memory.dmp

memory/4028-21-0x0000000007AA0000-0x0000000007AB0000-memory.dmp

memory/4028-24-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/4028-25-0x0000000007AA0000-0x0000000007AB0000-memory.dmp

Sample ID	240325-s6gncacb38
Target	de5db6c4f43175526bc82bab48124b2e
SHA256	93e2455a56c74a3f37f69fd8c918922fd5f32d1055f874f626bff8dc9203754e
Tags	redline sectoprat sewpalpadin infostealer rat trojan

Malware Analysis Report

2024-08-06 09:50

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files