Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 05:58
Static task
static1
Behavioral task
behavioral1
Sample
13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
Resource
win7-20240903-en
General
-
Target
13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
-
Size
326KB
-
MD5
8d55a7d6d505f46939c511271e0dbc78
-
SHA1
cca0206a78819f40d6829d66fe3221394bc055ce
-
SHA256
13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9
-
SHA512
2bde2dc05f4769aa4745b9062bcd10a07180660a7b06c9dcdd31c55eda7fac59c74ca73e66c6b7941ef148071f9fc42826f64200661fccd293dab668173be8d4
-
SSDEEP
3072:FnUeXcgbZ2/rkpH8LlgiIICv17yvoqPm4TbIvu4VuCwszeFIFCIncVi:FLX1RpH85giIjd2vu4Pw1kbszZV
Malware Config
Extracted
redline
prayfo
45.144.29.19:24123
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1200-11-0x0000000000400000-0x000000000041C000-memory.dmp family_redline -
Redline family
-
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1200-11-0x0000000000400000-0x000000000041C000-memory.dmp family_sectoprat -
Sectoprat family
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exedescription pid process target process PID 4916 set thread context of 1200 4916 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exedescription pid process Token: SeDebugPrivilege 4916 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe Token: SeDebugPrivilege 1200 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exedescription pid process target process PID 4916 wrote to memory of 1200 4916 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe PID 4916 wrote to memory of 1200 4916 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe PID 4916 wrote to memory of 1200 4916 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe PID 4916 wrote to memory of 1200 4916 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe PID 4916 wrote to memory of 1200 4916 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe PID 4916 wrote to memory of 1200 4916 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe PID 4916 wrote to memory of 1200 4916 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe PID 4916 wrote to memory of 1200 4916 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe 13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe"C:\Users\Admin\AppData\Local\Temp\13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exeC:\Users\Admin\AppData\Local\Temp\13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\13c624c2d8557ffb2b388b1cd475e71f068920c360a7f7f9d776dadf8f835fc9.exe.log
Filesize1KB
MD5b5291f3dcf2c13784e09a057f2e43d13
SHA1fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e
SHA256ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce
SHA51211c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4