redline | 023fc47c6f52055984cb9c8a332d4b0c6a7eec2e5c67bda4bff51afdff4f599d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2024, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

023fc47c6f52055984cb9c8a332d4b0c6a7eec2e5c67bda4bff51afdff4f599d.exe
Size

224KB
MD5

663c4cdae495142d1d0ebf5303d62210
SHA1

48250f082830d96239516ade98f03109596c8fa3
SHA256

023fc47c6f52055984cb9c8a332d4b0c6a7eec2e5c67bda4bff51afdff4f599d
SHA512

af5abeb533ac689be23b163639c557689859f4cd13bf1d831fc216f1ee8507cbeba3f9c634dbfc163221c748b464e7fa4c683a737f6eefc7364e8d78f41a92e7
SSDEEP

3072:8OuvnLYducl+wHwBIKetzz04LAreM0WPhYuJNiu+SChU7MPISMwi9QV5bNhk5YcW:MvnLYX+Crzh04LPwZ/INiObN1

Score

10^/10

redline sectoprat installbot_mix2 discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

installbot_mix2

185.118.165.94:15838

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/memory/4744-4-0x0000000004A00000-0x0000000004A22000-memory.dmp	family_redline
behavioral2/memory/4744-6-0x0000000004EC0000-0x0000000004EE0000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/4744-4-0x0000000004A00000-0x0000000004A22000-memory.dmp	family_sectoprat
behavioral2/memory/4744-6-0x0000000004EC0000-0x0000000004EE0000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	023fc47c6f52055984cb9c8a332d4b0c6a7eec2e5c67bda4bff51afdff4f599d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	023fc47c6f52055984cb9c8a332d4b0c6a7eec2e5c67bda4bff51afdff4f599d.exe

C:\Users\Admin\AppData\Local\Temp\023fc47c6f52055984cb9c8a332d4b0c6a7eec2e5c67bda4bff51afdff4f599d.exe
"C:\Users\Admin\AppData\Local\Temp\023fc47c6f52055984cb9c8a332d4b0c6a7eec2e5c67bda4bff51afdff4f599d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4744-1-0x0000000002E30000-0x0000000002F30000-memory.dmp

Filesize
1024KB

Download
memory/4744-2-0x0000000002DE0000-0x0000000002E0F000-memory.dmp

Filesize
188KB

Download
memory/4744-3-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4744-4-0x0000000004A00000-0x0000000004A22000-memory.dmp

Filesize
136KB

Download
memory/4744-5-0x0000000007300000-0x00000000078A4000-memory.dmp

Filesize
5.6MB

Download
memory/4744-6-0x0000000004EC0000-0x0000000004EE0000-memory.dmp

Filesize
128KB

Download
memory/4744-7-0x0000000000400000-0x0000000002C70000-memory.dmp

Filesize
40.4MB

Download
memory/4744-8-0x00000000078B0000-0x0000000007EC8000-memory.dmp

Filesize
6.1MB

Download
memory/4744-9-0x0000000004F80000-0x0000000004F92000-memory.dmp

Filesize
72KB

Download
memory/4744-10-0x0000000007ED0000-0x0000000007F0C000-memory.dmp

Filesize
240KB

Download
memory/4744-11-0x0000000007F20000-0x0000000007F6C000-memory.dmp

Filesize
304KB

Download
memory/4744-12-0x00000000080B0000-0x00000000081BA000-memory.dmp

Filesize
1.0MB

Download
memory/4744-13-0x0000000002E30000-0x0000000002F30000-memory.dmp

Filesize
1024KB

Download
memory/4744-14-0x0000000002DE0000-0x0000000002E0F000-memory.dmp

Filesize
188KB

Download
memory/4744-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download