Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2024 16:30
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION#30065.exe
Resource
win7-20240903-en
General
-
Target
QUOTATION#30065.exe
-
Size
978KB
-
MD5
0180e157cb9930ea356bf763647bd67d
-
SHA1
c7d1c7747628398f6f5812bed3e53c77e0a72ad5
-
SHA256
3dd466ffa2e7031457a79668f0bc129dd21a6ddfa77e95c8438089d63c4e5a8c
-
SHA512
07965ffa7103bcf3671533aa8ebf990d309e10da37bfa77741690beafa10a5863500889119c9317b118a2927a8ea1ffa564c30c03cdbe5bf51576bab4e8930a3
-
SSDEEP
12288:cR5m3dzJ6vBQDSznYU5hlQmn5Ph5SpYkdtsKLYSMclrarAf:N9sQDSz3eoh5SpYkrjZarAf
Malware Config
Extracted
redline
lovato
57.128.132.216:55123
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3640-13-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3640-13-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
QUOTATION#30065.exedescription pid Process procid_target PID 3896 set thread context of 3640 3896 QUOTATION#30065.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
QUOTATION#30065.exeQUOTATION#30065.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QUOTATION#30065.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QUOTATION#30065.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
QUOTATION#30065.exepid Process 3896 QUOTATION#30065.exe 3896 QUOTATION#30065.exe 3896 QUOTATION#30065.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
QUOTATION#30065.exeQUOTATION#30065.exedescription pid Process Token: SeDebugPrivilege 3896 QUOTATION#30065.exe Token: SeDebugPrivilege 3640 QUOTATION#30065.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
QUOTATION#30065.exedescription pid Process procid_target PID 3896 wrote to memory of 3640 3896 QUOTATION#30065.exe 91 PID 3896 wrote to memory of 3640 3896 QUOTATION#30065.exe 91 PID 3896 wrote to memory of 3640 3896 QUOTATION#30065.exe 91 PID 3896 wrote to memory of 3640 3896 QUOTATION#30065.exe 91 PID 3896 wrote to memory of 3640 3896 QUOTATION#30065.exe 91 PID 3896 wrote to memory of 3640 3896 QUOTATION#30065.exe 91 PID 3896 wrote to memory of 3640 3896 QUOTATION#30065.exe 91 PID 3896 wrote to memory of 3640 3896 QUOTATION#30065.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\QUOTATION#30065.exe"C:\Users\Admin\AppData\Local\Temp\QUOTATION#30065.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\QUOTATION#30065.exe"C:\Users\Admin\AppData\Local\Temp\QUOTATION#30065.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3640
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5abce8ccd3a4a5a0d4645806e60ab870b
SHA1950703f2ae2e9d0b1383475c23a1f2b0c3ecd612
SHA256ef1cfbe683644d2583de43c8a38448e60ab1acaaac633296788e05e3ec494359
SHA512effb8bd2f006b7861c338e99faa501f47a346657f1f1fd4e47d10c82288788b83c84b029693edba1b4c2b60f9bec014d50af7299d93a27ed1fa4638321d1423b