Analysis Overview

score

10^/10

SHA256

0684033d95616adafa0e5b41883fc8b6fc47a1ca829f350def96353fea05a8d1

Threat Level: Known bad

The file 0684033d95616adafa0e5b41883fc8b6fc47a1ca829f350def96353fea05a8d1 was found to be: Known bad.

Malicious Activity Summary

cheat redline sectoprat infostealer rat trojan

RedLine payload

Redline family

SectopRAT payload

Sectoprat family

RedLine

SectopRAT

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 15:59

Signatures

RedLine payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Redline family

redline

SectopRAT payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Sectoprat family

sectoprat

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 15:59

Reported

2024-06-01 16:01

Platform

win7-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0684033d95616adafa0e5b41883fc8b6fc47a1ca829f350def96353fea05a8d1.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\0684033d95616adafa0e5b41883fc8b6fc47a1ca829f350def96353fea05a8d1.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0684033d95616adafa0e5b41883fc8b6fc47a1ca829f350def96353fea05a8d1.exe

"C:\Users\Admin\AppData\Local\Temp\0684033d95616adafa0e5b41883fc8b6fc47a1ca829f350def96353fea05a8d1.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	each-qualified.gl.at.ply.gg	udp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	8.8.8.8:53	each-qualified.gl.at.ply.gg	udp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp

Files

memory/2116-0-0x00000000748DE000-0x00000000748DF000-memory.dmp

memory/2116-1-0x0000000000EE0000-0x0000000000EFE000-memory.dmp

memory/2116-2-0x00000000748D0000-0x0000000074FBE000-memory.dmp

memory/2116-3-0x00000000748DE000-0x00000000748DF000-memory.dmp

memory/2116-4-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 15:59

Reported

2024-06-01 16:01

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0684033d95616adafa0e5b41883fc8b6fc47a1ca829f350def96353fea05a8d1.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\0684033d95616adafa0e5b41883fc8b6fc47a1ca829f350def96353fea05a8d1.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0684033d95616adafa0e5b41883fc8b6fc47a1ca829f350def96353fea05a8d1.exe

"C:\Users\Admin\AppData\Local\Temp\0684033d95616adafa0e5b41883fc8b6fc47a1ca829f350def96353fea05a8d1.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	each-qualified.gl.at.ply.gg	udp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	8.8.8.8:53	196.249.167.52.in-addr.arpa	udp
US	8.8.8.8:53	203.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	20.221.185.147.in-addr.arpa	udp
US	8.8.8.8:53	140.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	95.221.229.192.in-addr.arpa	udp
US	8.8.8.8:53	13.86.106.20.in-addr.arpa	udp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
US	8.8.8.8:53	198.187.3.20.in-addr.arpa	udp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	8.8.8.8:53	88.210.23.2.in-addr.arpa	udp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434	each-qualified.gl.at.ply.gg	tcp
US	147.185.221.20:6434		tcp

Files

memory/1460-0-0x000000007528E000-0x000000007528F000-memory.dmp

memory/1460-1-0x0000000000680000-0x000000000069E000-memory.dmp

memory/1460-2-0x00000000056A0000-0x0000000005CB8000-memory.dmp

memory/1460-3-0x0000000005040000-0x0000000005052000-memory.dmp

memory/1460-4-0x00000000050C0000-0x00000000050FC000-memory.dmp

memory/1460-5-0x0000000005100000-0x000000000514C000-memory.dmp

memory/1460-6-0x0000000075280000-0x0000000075A30000-memory.dmp

memory/1460-7-0x0000000005350000-0x000000000545A000-memory.dmp

memory/1460-8-0x000000007528E000-0x000000007528F000-memory.dmp

memory/1460-9-0x0000000075280000-0x0000000075A30000-memory.dmp

Sample ID	240601-te14cagb3y
Target	0684033d95616adafa0e5b41883fc8b6fc47a1ca829f350def96353fea05a8d1
SHA256	0684033d95616adafa0e5b41883fc8b6fc47a1ca829f350def96353fea05a8d1
Tags	cheat redline sectoprat infostealer rat trojan

Malware Analysis Report

2024-09-11 08:40

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files