Malware Analysis Report

2024-12-08 01:36

Sample ID 240910-rz7qhszdla
Target build.exe
SHA256 4c0da55a9e797afe7f4cc13530d31e42673efbf8cdfe9b151fc7a847db38fadb
Tags
scar redline sectoprat discovery infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c0da55a9e797afe7f4cc13530d31e42673efbf8cdfe9b151fc7a847db38fadb

Threat Level: Known bad

The file build.exe was found to be: Known bad.

Malicious Activity Summary

scar redline sectoprat discovery infostealer rat trojan

RedLine payload

Sectoprat family

Redline family

SectopRAT payload

RedLine

SectopRAT

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-10 14:38

Signatures

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-10 14:38

Reported

2024-09-10 14:41

Platform

win11-20240802-en

Max time kernel

132s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\build.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

Network

Country Destination Domain Proto
US 3.17.140.152:33605 tcp
US 3.17.140.152:33605 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 3.17.140.152:33605 tcp
US 3.17.140.152:33605 tcp
US 3.17.140.152:33605 tcp
US 3.17.140.152:33605 tcp

Files

memory/4368-0-0x00007FF86FDC0000-0x00007FF86FFC9000-memory.dmp

memory/4368-1-0x0000000000420000-0x000000000043E000-memory.dmp

memory/4368-2-0x0000000005540000-0x0000000005B58000-memory.dmp

memory/4368-3-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

memory/4368-4-0x0000000004F20000-0x0000000004F5C000-memory.dmp

memory/4368-5-0x00007FF86FDC0000-0x00007FF86FFC9000-memory.dmp

memory/4368-6-0x0000000004EC0000-0x0000000004F0C000-memory.dmp

memory/4368-7-0x00000000051B0000-0x00000000052BA000-memory.dmp

memory/4368-8-0x00007FF86FDC0000-0x00007FF86FFC9000-memory.dmp