redline | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
Size

1.2MB
MD5

44c355ae8cc3ecc4a95b5716fb9635fd
SHA1

f4d46438cad6fac2be4fb08cf6972a8306e5e12a
SHA256

f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d
SHA512

46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259
SSDEEP

12288:2kYE2r670sGqlvG2Hbt5wzdoLTgN/p48azOzPxiDOZ3IHSrsZn8NxNZLAdXeUif8:VmElvGuXeULC

Score

10^/10

redline sectoprat 1 infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

37.0.8.88:44263

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/3416-6-0x0000000000400000-0x0000000000448000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/3416-6-0x0000000000400000-0x0000000000448000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

Processes:

ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

description pid process target process

PID 3988 set thread context of 3416 3988 ocHcxXqIvZbjJ5SjBH0EkE2Y.exe ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

description	pid	process	target process
PID 3988 set thread context of 3416	3988	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

description	pid	process	target process
PID 3988 wrote to memory of 3416	3988	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3988 wrote to memory of 3416	3988	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3988 wrote to memory of 3416	3988	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3988 wrote to memory of 3416	3988	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3988 wrote to memory of 3416	3988	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3988 wrote to memory of 3416	3988	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3988 wrote to memory of 3416	3988	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 3988 wrote to memory of 3416	3988	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

C:\Users\Admin\AppData\Local\Temp\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
"C:\Users\Admin\AppData\Local\Temp\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Local\Temp\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
C:\Users\Admin\AppData\Local\Temp\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
2⤵
PID:3416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe.log
Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
memory/3416-13-0x0000000005770000-0x000000000587A000-memory.dmp

Filesize
1.0MB

Download
memory/3416-12-0x0000000005640000-0x0000000005652000-memory.dmp

Filesize
72KB

Download
memory/3416-17-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/3416-16-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/3416-9-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/3416-6-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3416-15-0x0000000005710000-0x000000000575C000-memory.dmp

Filesize
304KB

Download
memory/3416-14-0x00000000056D0000-0x000000000570C000-memory.dmp

Filesize
240KB

Download
memory/3416-11-0x0000000005BB0000-0x00000000061C8000-memory.dmp

Filesize
6.1MB

Download
memory/3988-10-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/3988-5-0x0000000005C20000-0x00000000061C4000-memory.dmp

Filesize
5.6MB

Download
memory/3988-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/3988-1-0x0000000000980000-0x0000000000AB2000-memory.dmp

Filesize
1.2MB

Download
memory/3988-2-0x0000000005440000-0x00000000054B6000-memory.dmp

Filesize
472KB

Download
memory/3988-4-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/3988-3-0x00000000053E0000-0x00000000053FE000-memory.dmp

Filesize
120KB

Download