Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 11:14

General

  • Target

    be67c3e96365bc394ccb229a414d3ba726ab7498ae73cea5f89d437d7a5d3662.exe

  • Size

    150KB

  • MD5

    5cd1e02cb68df11380841530977ea517

  • SHA1

    09c9bde608ae8fa12a8c205ed093c0bbdb1c8875

  • SHA256

    be67c3e96365bc394ccb229a414d3ba726ab7498ae73cea5f89d437d7a5d3662

  • SHA512

    23b7be40ae811161613f185c1fef96d46b0a8fe2bde0dea726f9f3603998745309c47777a733266291b70e6fc95ddf0f3352bbd08ae9d8d826ff01abb298a845

  • SSDEEP

    3072:k5RYLtJoWl7zPuRy11dafnxyOAxqT2VfOIwRBklg:UYAWpJTvxqSfODH

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

193.47.61.7:42774

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Redline family
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 1 IoCs
  • Sectoprat family
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be67c3e96365bc394ccb229a414d3ba726ab7498ae73cea5f89d437d7a5d3662.exe
    "C:\Users\Admin\AppData\Local\Temp\be67c3e96365bc394ccb229a414d3ba726ab7498ae73cea5f89d437d7a5d3662.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/744-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

    Filesize

    4KB

  • memory/744-1-0x0000000000120000-0x000000000014C000-memory.dmp

    Filesize

    176KB

  • memory/744-2-0x0000000074AE0000-0x0000000075290000-memory.dmp

    Filesize

    7.7MB

  • memory/744-3-0x0000000004AC0000-0x0000000004B26000-memory.dmp

    Filesize

    408KB

  • memory/744-6-0x0000000074AE0000-0x0000000075290000-memory.dmp

    Filesize

    7.7MB

  • memory/4928-7-0x0000000000360000-0x000000000037E000-memory.dmp

    Filesize

    120KB

  • memory/4928-8-0x0000000074AB0000-0x0000000074B5B000-memory.dmp

    Filesize

    684KB

  • memory/4928-9-0x00000000053E0000-0x00000000059F8000-memory.dmp

    Filesize

    6.1MB

  • memory/4928-10-0x0000000004D70000-0x0000000004D82000-memory.dmp

    Filesize

    72KB

  • memory/4928-11-0x0000000004E40000-0x0000000004E7C000-memory.dmp

    Filesize

    240KB

  • memory/4928-12-0x0000000074AB0000-0x0000000074B5B000-memory.dmp

    Filesize

    684KB

  • memory/4928-13-0x0000000004E80000-0x0000000004ECC000-memory.dmp

    Filesize

    304KB

  • memory/4928-14-0x00000000050C0000-0x00000000051CA000-memory.dmp

    Filesize

    1.0MB

  • memory/4928-15-0x0000000074AB0000-0x0000000074B5B000-memory.dmp

    Filesize

    684KB