redline | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d

Analysis

max time kernel
135s
max time network
141s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-07-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
Size

1.2MB
MD5

44c355ae8cc3ecc4a95b5716fb9635fd
SHA1

f4d46438cad6fac2be4fb08cf6972a8306e5e12a
SHA256

f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d
SHA512

46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259
SSDEEP

12288:2kYE2r670sGqlvG2Hbt5wzdoLTgN/p48azOzPxiDOZ3IHSrsZn8NxNZLAdXeUif8:VmElvGuXeULC

Score

10^/10

redline sectoprat 1 infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

37.0.8.88:44263

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/164-6-0x0000000000400000-0x0000000000448000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/164-6-0x0000000000400000-0x0000000000448000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

Processes:

ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

description pid process target process

PID 3796 set thread context of 164 3796 ocHcxXqIvZbjJ5SjBH0EkE2Y.exe ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

description	pid	process	target process
PID 3796 set thread context of 164	3796	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

description	pid	process	target process
PID 3796 wrote to memory of 164	3796	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3796 wrote to memory of 164	3796	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3796 wrote to memory of 164	3796	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3796 wrote to memory of 164	3796	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3796 wrote to memory of 164	3796	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3796 wrote to memory of 164	3796	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3796 wrote to memory of 164	3796	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3796 wrote to memory of 164	3796	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

C:\Users\Admin\AppData\Local\Temp\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
"C:\Users\Admin\AppData\Local\Temp\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3796

C:\Users\Admin\AppData\Local\Temp\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
C:\Users\Admin\AppData\Local\Temp\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
2⤵
PID:164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe.log
Filesize
700B

MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
memory/164-13-0x0000000005160000-0x000000000526A000-memory.dmp

Filesize
1.0MB

Download
memory/164-11-0x00000000055F0000-0x0000000005BF6000-memory.dmp

Filesize
6.0MB

Download
memory/164-17-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/164-16-0x0000000005110000-0x000000000515B000-memory.dmp

Filesize
300KB

Download
memory/164-10-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/164-6-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/164-15-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/164-14-0x0000000005090000-0x00000000050CE000-memory.dmp

Filesize
248KB

Download
memory/164-12-0x0000000005030000-0x0000000005042000-memory.dmp

Filesize
72KB

Download
memory/3796-1-0x00000000000C0000-0x00000000001F2000-memory.dmp

Filesize
1.2MB

Download
memory/3796-5-0x0000000005000000-0x00000000054FE000-memory.dmp

Filesize
5.0MB

Download
memory/3796-0-0x000000007407E000-0x000000007407F000-memory.dmp

Filesize
4KB

Download
memory/3796-9-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/3796-2-0x00000000049E0000-0x0000000004A56000-memory.dmp

Filesize
472KB

Download
memory/3796-4-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/3796-3-0x0000000004980000-0x000000000499E000-memory.dmp

Filesize
120KB

Download