redline | 95d4b4b0d7850ae04709b88ae02fd05e75a9c55d292ebce672f429f8aa78cc76

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 07:37

Target

0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe
Size

406KB
MD5

0d3a721884eef83f8a0c26262805026e
SHA1

45b243a2c2ec85ade2afad0acbe835b69a53893f
SHA256

95d4b4b0d7850ae04709b88ae02fd05e75a9c55d292ebce672f429f8aa78cc76
SHA512

f1e9fdcd1d1f78fc4c750255a33d911ff0c3bb1880db0e9f13700a61c8c8b180660430719a47532a3244b887ab13774363572ef477bec983e599a1a49356f584
SSDEEP

6144:UFR05m+b9h3CXY6F4ulvIVTG2wWc9qWkIOP502o6k7l+/A/rAMgJdTAZvyR7ioqf:seZhyXlF5CcEI6cNrrSdElyR2jo5q5Eq

Score

10^/10

Family

redline

Botnet

@keynejkee

164.132.72.186:18717

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2220-4-0x0000000000400000-0x0000000000427000-memory.dmp	family_redline
behavioral1/memory/2220-8-0x0000000000400000-0x0000000000427000-memory.dmp	family_redline
behavioral1/memory/2220-6-0x0000000000400000-0x0000000000427000-memory.dmp	family_redline
behavioral1/memory/2220-10-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2220-4-0x0000000000400000-0x0000000000427000-memory.dmp	family_sectoprat
behavioral1/memory/2220-8-0x0000000000400000-0x0000000000427000-memory.dmp	family_sectoprat
behavioral1/memory/2220-6-0x0000000000400000-0x0000000000427000-memory.dmp	family_sectoprat
behavioral1/memory/2220-10-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

regasm.exe

pid process

2220 regasm.exe
2220 regasm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe

description pid process target process

PID 2252 set thread context of 2220 2252 0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe regasm.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe

pid process

2252 0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe

pid process

2252 0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe

pid	process
2220	regasm.exe
2220	regasm.exe

description	pid	process	target process
PID 2252 set thread context of 2220	2252	0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe	regasm.exe

pid	process
2252	0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe

pid	process
2252	0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe

description	pid	process	target process
PID 2252 wrote to memory of 2220	2252	0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe	regasm.exe
PID 2252 wrote to memory of 2220	2252	0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe	regasm.exe
PID 2252 wrote to memory of 2220	2252	0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe	regasm.exe
PID 2252 wrote to memory of 2220	2252	0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe	regasm.exe
PID 2252 wrote to memory of 2220	2252	0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe	regasm.exe
PID 2252 wrote to memory of 2220	2252	0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe	regasm.exe
PID 2252 wrote to memory of 2220	2252	0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe	regasm.exe
PID 2252 wrote to memory of 2220	2252	0d3a721884eef83f8a0c26262805026e_JaffaCakes118.exe	regasm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2220

memory/2220-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2220-8-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2220-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2220-10-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2252-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2252-3-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download