Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 08:06
Static task
static1
Behavioral task
behavioral1
Sample
6AFDD0CBDF70F3E75F423B1557648E85.exe
Resource
win7-20240708-en
General
-
Target
6AFDD0CBDF70F3E75F423B1557648E85.exe
-
Size
1.0MB
-
MD5
6afdd0cbdf70f3e75f423b1557648e85
-
SHA1
6c5cf72a38f08fd41b9f4943efaa4fa3b4d92c66
-
SHA256
f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71
-
SHA512
b550dbba19c53f55d1433cfbd38fff724c9759da4232597f1b3213e98529f440854a32387eb4a7a7aea2b6a2601816e13b0cfd2ab8712c2f6ef0ec66a2c5028d
-
SSDEEP
24576:AqDEvCTbMWu7rQYlBQcBiT6rprG8abXTaR:ATvC/MTQYxsWR7abX
Malware Config
Extracted
redline
cheat
185.222.58.90:55615
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/1364-7-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1364-11-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1364-9-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Redline family
-
SectopRAT payload 3 IoCs
resource yara_rule behavioral1/memory/1364-7-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1364-11-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1364-9-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Sectoprat family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2332 set thread context of 1364 2332 6AFDD0CBDF70F3E75F423B1557648E85.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6AFDD0CBDF70F3E75F423B1557648E85.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2332 6AFDD0CBDF70F3E75F423B1557648E85.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1364 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2332 6AFDD0CBDF70F3E75F423B1557648E85.exe 2332 6AFDD0CBDF70F3E75F423B1557648E85.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2332 6AFDD0CBDF70F3E75F423B1557648E85.exe 2332 6AFDD0CBDF70F3E75F423B1557648E85.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2332 wrote to memory of 1364 2332 6AFDD0CBDF70F3E75F423B1557648E85.exe 31 PID 2332 wrote to memory of 1364 2332 6AFDD0CBDF70F3E75F423B1557648E85.exe 31 PID 2332 wrote to memory of 1364 2332 6AFDD0CBDF70F3E75F423B1557648E85.exe 31 PID 2332 wrote to memory of 1364 2332 6AFDD0CBDF70F3E75F423B1557648E85.exe 31 PID 2332 wrote to memory of 1364 2332 6AFDD0CBDF70F3E75F423B1557648E85.exe 31 PID 2332 wrote to memory of 1364 2332 6AFDD0CBDF70F3E75F423B1557648E85.exe 31 PID 2332 wrote to memory of 1364 2332 6AFDD0CBDF70F3E75F423B1557648E85.exe 31 PID 2332 wrote to memory of 1364 2332 6AFDD0CBDF70F3E75F423B1557648E85.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6AFDD0CBDF70F3E75F423B1557648E85.exe"C:\Users\Admin\AppData\Local\Temp\6AFDD0CBDF70F3E75F423B1557648E85.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\6AFDD0CBDF70F3E75F423B1557648E85.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1364
-