Overview

overview

10

Static

static

5

QUOTATION#08670.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    80s
  • max time network
    83s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 16:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QUOTATION#08670.exe

  • Size

    893KB

  • MD5

    ddd5c5ff1e8ab9da6c65c65510c07ab6

  • SHA1

    5226baf5b02039387e83e3a03ab2e26c32af6989

  • SHA256

    f169b87df9bdf1534a1fbc75038ab9b1c6ea0c2b812bffb17291af18cfc5ac20

  • SHA512

    050bc82645769f62dad0a95d3833579624a88b1f37ffd6ab9bcdc7557b3e5cb2eec5f84bbfadf1793033bcf7e02fe14d5981809da64ce1273c1f15b0df40f1c8

  • SSDEEP

    12288:ALkcoxg7v3qnC11ErwIhh0F4qwUgUny5Q6rgIbiRB9PdRsh6yy:WfmMv6Ckr7Mny5Q66Rkh6yy

Score
10/10
redlinesectopratpeediscoveryinfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

pee

C2

188.190.10.10:55123

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QUOTATION#08670.exe
    "C:\Users\Admin\AppData\Local\Temp\QUOTATION#08670.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\QUOTATION#08670.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4192-2-0x0000000003C30000-0x0000000003E30000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4900-3-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4900-4-0x000000007491E000-0x000000007491F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4900-5-0x00000000055A0000-0x0000000005BB8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4900-6-0x0000000004FC0000-0x0000000004FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4900-7-0x0000000005060000-0x000000000509C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4900-8-0x00000000050A0000-0x00000000050EC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4900-9-0x0000000074910000-0x00000000750C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4900-10-0x0000000005300000-0x000000000540A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4900-11-0x000000007491E000-0x000000007491F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4900-12-0x0000000074910000-0x00000000750C0000-memory.dmp

    Filesize

    7.7MB

    Download