redline | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d

Analysis

max time kernel
134s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
12-07-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
Size

1.2MB
MD5

44c355ae8cc3ecc4a95b5716fb9635fd
SHA1

f4d46438cad6fac2be4fb08cf6972a8306e5e12a
SHA256

f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d
SHA512

46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259
SSDEEP

12288:2kYE2r670sGqlvG2Hbt5wzdoLTgN/p48azOzPxiDOZ3IHSrsZn8NxNZLAdXeUif8:VmElvGuXeULC

Score

10^/10

redline sectoprat 1 infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

37.0.8.88:44263

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/484-6-0x0000000000400000-0x0000000000448000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/484-6-0x0000000000400000-0x0000000000448000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

Processes:

ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

description pid process target process

PID 5064 set thread context of 484 5064 ocHcxXqIvZbjJ5SjBH0EkE2Y.exe ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

description	pid	process	target process
PID 5064 set thread context of 484	5064	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

description	pid	process	target process
PID 5064 wrote to memory of 4664	5064	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 5064 wrote to memory of 4664	5064	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 5064 wrote to memory of 4664	5064	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 5064 wrote to memory of 484	5064	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 5064 wrote to memory of 484	5064	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 5064 wrote to memory of 484	5064	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 5064 wrote to memory of 484	5064	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 5064 wrote to memory of 484	5064	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 5064 wrote to memory of 484	5064	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 5064 wrote to memory of 484	5064	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
PID 5064 wrote to memory of 484	5064	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe	ocHcxXqIvZbjJ5SjBH0EkE2Y.exe

C:\Users\Admin\AppData\Local\Temp\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
"C:\Users\Admin\AppData\Local\Temp\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\AppData\Local\Temp\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
C:\Users\Admin\AppData\Local\Temp\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
2⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
C:\Users\Admin\AppData\Local\Temp\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe
2⤵
PID:484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ocHcxXqIvZbjJ5SjBH0EkE2Y.exe.log
Filesize
700B

MD5
342f1c43dace4ddfe34db85a773f2721

SHA1
04bbf6f8807395cb790e7f4e75ec3d7ec8413f48

SHA256
54eb3a697ee93fdbd9ebe2b6d576d1d7f98d18b5e293d713b25acd71176bbf6d

SHA512
f943318dc9196ef5b857f9115e529c8c1d49910b772795edca42b6941fb3bdec50e3224ef48dadd42322adbbd4b3dab3c1b7aa20e58a8ed3ab7386e3c10c29fe

Download Submit
memory/484-13-0x0000000005050000-0x000000000508C000-memory.dmp

Filesize
240KB

Download
memory/484-11-0x0000000004FF0000-0x0000000005002000-memory.dmp

Filesize
72KB

Download
memory/484-17-0x0000000075040000-0x00000000757F1000-memory.dmp

Filesize
7.7MB

Download
memory/484-15-0x0000000075040000-0x00000000757F1000-memory.dmp

Filesize
7.7MB

Download
memory/484-10-0x00000000055A0000-0x0000000005BB8000-memory.dmp

Filesize
6.1MB

Download
memory/484-6-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/484-14-0x00000000050C0000-0x000000000510C000-memory.dmp

Filesize
304KB

Download
memory/484-9-0x0000000075040000-0x00000000757F1000-memory.dmp

Filesize
7.7MB

Download
memory/484-12-0x0000000005120000-0x000000000522A000-memory.dmp

Filesize
1.0MB

Download
memory/5064-5-0x00000000059C0000-0x0000000005F66000-memory.dmp

Filesize
5.6MB

Download
memory/5064-1-0x00000000006C0000-0x00000000007F2000-memory.dmp

Filesize
1.2MB

Download
memory/5064-0-0x000000007504E000-0x000000007504F000-memory.dmp

Filesize
4KB

Download
memory/5064-2-0x0000000005290000-0x0000000005306000-memory.dmp

Filesize
472KB

Download
memory/5064-4-0x0000000075040000-0x00000000757F1000-memory.dmp

Filesize
7.7MB

Download
memory/5064-16-0x0000000075040000-0x00000000757F1000-memory.dmp

Filesize
7.7MB

Download
memory/5064-3-0x0000000002E80000-0x0000000002E9E000-memory.dmp

Filesize
120KB

Download