Overview

overview

10

Static

static

1

13c624c2d8...c9.exe

windows7-x64

10

13c624c2d8...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 05:58 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe

  • Size

    326KB

  • MD5

    8d55a7d6d505f46939c511271e0dbc78

  • SHA1

    cca0206a78819f40d6829d66fe3221394bc055ce

  • SHA256

    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9

  • SHA512

    2bde2dc05f4769aa4745b9062bcd10a07180660a7b06c9dcdd31c55eda7fac59c74ca73e66c6b7941ef148071f9fc42826f64200661fccd293dab668173be8d4

  • SSDEEP

    3072:FnUeXcgbZ2/rkpH8LlgiIICv17yvoqPm4TbIvu4VuCwszeFIFCIncVi:FLX1RpH85giIjd2vu4Pw1kbszZV

Score
10/10
redlinesectopratprayfodiscoveryinfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

prayfo

C2

45.144.29.19:24123

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    "C:\Users\Admin\AppData\Local\Temp\13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Users\Admin\AppData\Local\Temp\13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
      C:\Users\Admin\AppData\Local\Temp\13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1200

Network

  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     160 B
     5
    4
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    260 B
     200 B
     5
    5
  • 45.144.29.19:24123
    13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
    208 B
     160 B
     4
    4
  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    103.209.201.84.in-addr.arpa
    dns
    73 B
     133 B
     1
    1

    DNS Request

    103.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    22.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe.log
    Filesize

    1KB

    MD5

    b5291f3dcf2c13784e09a057f2e43d13

    SHA1

    fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

    SHA256

    ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

    SHA512

    11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

    Download Submit

  • memory/1200-11-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1200-23-0x0000000074510000-0x0000000074CC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1200-22-0x0000000074510000-0x0000000074CC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1200-21-0x00000000050F0000-0x00000000051FA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1200-20-0x0000000074510000-0x0000000074CC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1200-18-0x0000000004E60000-0x0000000004EAC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1200-17-0x0000000004E20000-0x0000000004E5C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1200-16-0x0000000002A30000-0x0000000002A42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1200-14-0x0000000074510000-0x0000000074CC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1200-15-0x00000000053C0000-0x00000000059D8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4916-5-0x00000000052C0000-0x00000000052CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4916-10-0x0000000005710000-0x000000000571E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4916-9-0x00000000056C0000-0x00000000056DE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4916-8-0x0000000005480000-0x00000000054F6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4916-7-0x0000000074510000-0x0000000074CC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4916-6-0x000000007451E000-0x000000007451F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4916-0-0x000000007451E000-0x000000007451F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4916-4-0x0000000074510000-0x0000000074CC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4916-19-0x0000000074510000-0x0000000074CC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4916-3-0x00000000051E0000-0x0000000005272000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4916-2-0x0000000005850000-0x0000000005DF4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4916-1-0x00000000008E0000-0x0000000000936000-memory.dmp

    Filesize

    344KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.