Analysis
-
max time kernel
140s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 15:53
Static task
static1
Behavioral task
behavioral1
Sample
7c97f0deaa47de819fab1ddd525858b40cd57d6c8c81bb757884d9e446414c66.exe
Resource
win7-20240903-en
General
-
Target
7c97f0deaa47de819fab1ddd525858b40cd57d6c8c81bb757884d9e446414c66.exe
-
Size
317KB
-
MD5
1beb3bf1a30660549752bfc6173b9cbd
-
SHA1
62679c03fdebb32a4525d8ab1315cad1f0269eb9
-
SHA256
7c97f0deaa47de819fab1ddd525858b40cd57d6c8c81bb757884d9e446414c66
-
SHA512
9b2eac74bd8b1b2b309e7eeab10b01b6458f464b6abe7e0494719d8129d6775f850d10294d5e31f822896dce6f157679e45cc8860e7449d36c280f8bd0d3c3ae
-
SSDEEP
6144:wCZQpuCn0CzqU7qX7nQbV8Zme/WdMNKxz0LOsxKpX3PfSgh:dZ4n0CzqUWDQb6oc2MvxS3Sg
Malware Config
Extracted
redline
UTS
45.9.20.20:13441
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/384-5-0x0000000000C70000-0x0000000000C96000-memory.dmp family_redline behavioral2/memory/384-7-0x0000000002570000-0x0000000002594000-memory.dmp family_redline -
Redline family
-
SectopRAT payload 2 IoCs
resource yara_rule behavioral2/memory/384-5-0x0000000000C70000-0x0000000000C96000-memory.dmp family_sectoprat behavioral2/memory/384-7-0x0000000002570000-0x0000000002594000-memory.dmp family_sectoprat -
Sectoprat family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c97f0deaa47de819fab1ddd525858b40cd57d6c8c81bb757884d9e446414c66.exe
Processes
Network
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request67.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request75.117.19.2.in-addr.arpaIN PTRResponse75.117.19.2.in-addr.arpaIN PTRa2-19-117-75deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
67.31.126.40.in-addr.arpa
-
146 B 144 B 2 1
DNS Request
95.221.229.192.in-addr.arpa
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
75.117.19.2.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa