Malware Analysis Report

2024-12-08 01:36

Sample ID 240902-b3kr6axhmk
Target 9fe5f95d5355185b04b8e78d1c8cebe4.bin
SHA256 ad475abae33ea4782ee51c912038e06710ad570c06032ae60d9a9b0ca9730386
Tags
redline sectoprat h4n0m4n discovery infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad475abae33ea4782ee51c912038e06710ad570c06032ae60d9a9b0ca9730386

Threat Level: Known bad

The file 9fe5f95d5355185b04b8e78d1c8cebe4.bin was found to be: Known bad.

Malicious Activity Summary

redline sectoprat h4n0m4n discovery infostealer rat trojan

RedLine

SectopRAT payload

Sectoprat family

RedLine payload

SectopRAT

Redline family

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-02 01:40

Signatures

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-02 01:40

Reported

2024-09-02 01:42

Platform

win10v2004-20240802-en

Max time kernel

132s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe

"C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 207.32.219.79:40826 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 207.32.219.79:40826 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 207.32.219.79:40826 tcp
US 207.32.219.79:40826 tcp
US 207.32.219.79:40826 tcp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp
US 207.32.219.79:40826 tcp

Files

memory/732-0-0x000000007517E000-0x000000007517F000-memory.dmp

memory/732-1-0x0000000000A10000-0x0000000000A2E000-memory.dmp

memory/732-2-0x0000000005AD0000-0x00000000060E8000-memory.dmp

memory/732-3-0x00000000053D0000-0x00000000053E2000-memory.dmp

memory/732-4-0x0000000005430000-0x000000000546C000-memory.dmp

memory/732-5-0x00000000054B0000-0x00000000054FC000-memory.dmp

memory/732-6-0x0000000075170000-0x0000000075920000-memory.dmp

memory/732-7-0x00000000056E0000-0x00000000057EA000-memory.dmp

memory/732-8-0x000000007517E000-0x000000007517F000-memory.dmp

memory/732-9-0x0000000075170000-0x0000000075920000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-02 01:40

Reported

2024-09-02 01:42

Platform

win7-20240708-en

Max time kernel

131s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe

"C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe"

Network

Country Destination Domain Proto
US 207.32.219.79:40826 tcp
US 207.32.219.79:40826 tcp
US 207.32.219.79:40826 tcp
US 207.32.219.79:40826 tcp
US 207.32.219.79:40826 tcp
US 207.32.219.79:40826 tcp

Files

memory/1716-0-0x000000007433E000-0x000000007433F000-memory.dmp

memory/1716-1-0x0000000000200000-0x000000000021E000-memory.dmp

memory/1716-2-0x0000000074330000-0x0000000074A1E000-memory.dmp

memory/1716-3-0x000000007433E000-0x000000007433F000-memory.dmp

memory/1716-4-0x0000000074330000-0x0000000074A1E000-memory.dmp