redline | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d

Analysis

max time kernel
130s
max time network
140s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 17:19

Target

ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
Size

1.2MB
MD5

44c355ae8cc3ecc4a95b5716fb9635fd
SHA1

f4d46438cad6fac2be4fb08cf6972a8306e5e12a
SHA256

f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d
SHA512

46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259
SSDEEP

12288:2kYE2r670sGqlvG2Hbt5wzdoLTgN/p48azOzPxiDOZ3IHSrsZn8NxNZLAdXeUif8:VmElvGuXeULC

Score

10^/10

Family

redline

Botnet

37.0.8.88:44263

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2092-16-0x0000000000400000-0x0000000000448000-memory.dmp	family_redline
behavioral2/memory/2092-13-0x0000000000400000-0x0000000000448000-memory.dmp	family_redline
behavioral2/memory/2092-11-0x0000000000400000-0x0000000000448000-memory.dmp	family_redline
behavioral2/memory/2092-8-0x0000000000400000-0x0000000000448000-memory.dmp	family_redline
behavioral2/memory/2092-7-0x0000000000400000-0x0000000000448000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2092-16-0x0000000000400000-0x0000000000448000-memory.dmp	family_sectoprat
behavioral2/memory/2092-13-0x0000000000400000-0x0000000000448000-memory.dmp	family_sectoprat
behavioral2/memory/2092-11-0x0000000000400000-0x0000000000448000-memory.dmp	family_sectoprat
behavioral2/memory/2092-8-0x0000000000400000-0x0000000000448000-memory.dmp	family_sectoprat
behavioral2/memory/2092-7-0x0000000000400000-0x0000000000448000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

Processes:

ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

description pid process target process

PID 3008 set thread context of 2092 3008 ocHcxXqIvZbjJ5SjBH0EkE2Y.exe ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

description	pid	process	target process
PID 3008 set thread context of 2092	3008	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

description	pid	process	target process
PID 3008 wrote to memory of 2092	3008	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3008 wrote to memory of 2092	3008	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3008 wrote to memory of 2092	3008	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3008 wrote to memory of 2092	3008	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3008 wrote to memory of 2092	3008	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3008 wrote to memory of 2092	3008	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3008 wrote to memory of 2092	3008	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3008 wrote to memory of 2092	3008	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3008 wrote to memory of 2092	3008	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

C:\Users\Admin\AppData\Local\Temp\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
C:\Users\Admin\AppData\Local\Temp\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
2⤵
PID:2092

memory/2092-17-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download
memory/2092-11-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2092-20-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download
memory/2092-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2092-16-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2092-19-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download
memory/2092-5-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2092-13-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2092-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2092-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2092-8-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3008-0-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

Filesize
4KB

Download
memory/3008-1-0x0000000001160000-0x0000000001292000-memory.dmp

Filesize
1.2MB

Download
memory/3008-18-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-2-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download