Overview

overview

10

Static

static

3

0cfd5c4237...01.exe

windows7-x64

10

0cfd5c4237...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0cfd5c42375737ecd1186c43743344c3485163e5bc511cfc20dc03b7a64bec01.exe

  • Size

    398KB

  • MD5

    34ab4db5d70a3b165d57e73e77d7c7b9

  • SHA1

    c2e99c94cc5633da89047ec347d4600040426eb4

  • SHA256

    0cfd5c42375737ecd1186c43743344c3485163e5bc511cfc20dc03b7a64bec01

  • SHA512

    dcd9b1737d27cefcdf51e87b6d777cc8a27752cb6d5ab4eb54e1d15eba89a06051fd764fbd7ecd83e3f002cf9264b2896951dfe121dc3f7810c7a56cb7bf6488

  • SSDEEP

    12288:tIxx8ke7+mHCa1n69HLYs6L1szovt1pN:iO+mHIYs2coPj

Score
10/10
redlinesectopratsewpalpadindiscoveryinfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

SewPalpadin

C2

185.215.113.114:8887

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Sectoprat family
    sectoprat
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cfd5c42375737ecd1186c43743344c3485163e5bc511cfc20dc03b7a64bec01.exe
    "C:\Users\Admin\AppData\Local\Temp\0cfd5c42375737ecd1186c43743344c3485163e5bc511cfc20dc03b7a64bec01.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2616-2-0x00000000021C0000-0x00000000021EF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2616-1-0x0000000000480000-0x0000000000580000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2616-3-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2616-4-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2616-5-0x00000000024F0000-0x0000000002510000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2616-6-0x0000000004DD0000-0x0000000005374000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2616-7-0x0000000002690000-0x00000000026AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2616-8-0x0000000005380000-0x0000000005998000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2616-9-0x00000000028D0000-0x00000000028E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2616-10-0x00000000028F0000-0x000000000292C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2616-11-0x0000000002940000-0x000000000298C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2616-12-0x0000000005A00000-0x0000000005B0A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2616-13-0x0000000000480000-0x0000000000580000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2616-14-0x00000000021C0000-0x00000000021EF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2616-15-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download