Overview

overview

10

Static

static

10

Remote Adm...EE.rar

windows11-21h2-x64

10

Analysis

  • max time kernel
    23s
  • max time network
    29s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08/04/2025, 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Remote Administration Tool FREE.rar

  • Size

    9.2MB

  • MD5

    4e3a80bc68a053ce6aac48b4109059e0

  • SHA1

    b4c643a3f8bd6f56e5bf96bccfb6fc6dd9b95e08

  • SHA256

    09cccb55d5f82c274fd52cbff09e0256a779c6f8cabc2c70be3637babd12ebb2

  • SHA512

    6282fe443e70d1831bfed758c68cae784189549798fd2ef7d04a8d863f65b6201cc4428ec430eb373c68dbb5bc216c60fc368071c34cec9ecda3d5894fb73ff2

  • SSDEEP

    196608:/y0h8nGMJl8J4BzaOgAhxYKP/OZevpoE9woAJ12AsZJiRAbftr47Ow:V+GMJphaliJC8p9eP/svf9WX

Score
10/10
redlinesectoprattelegramonediscoveryinfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

telegramone

C2

163.5.160.27:51523

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Sectoprat family
    sectoprat
  • Executes dropped EXE 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Remote Administration Tool FREE.rar"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1708
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:792
    • C:\Users\Admin\Desktop\Remote Administration Tool (RAT)\Remote Administration Tool (RAT).exe
      "C:\Users\Admin\Desktop\Remote Administration Tool (RAT)\Remote Administration Tool (RAT).exe"
      1⤵
      • Executes dropped EXE
      PID:2664
    • C:\Users\Admin\Desktop\Remote Administration Tool (RAT)\x64\fix.exe
      "C:\Users\Admin\Desktop\Remote Administration Tool (RAT)\x64\fix.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2364

    Network

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\Remote Administration Tool (RAT)\Remote Administration Tool (RAT).exe
      Filesize

      2.5MB

      MD5

      5eb488fde8ae946dbe2ee631a44e2264

      SHA1

      7a7c0b9d4dfb605bed6d6f1fe256cb2b9e8799db

      SHA256

      f4894d1b685f8b6a53bfcbc23869c806258c0b7e7def3f4f946c2d6a7019dfad

      SHA512

      29fe591da31225aeb09490ddfed86e3a48c47bc17d2110ca63a7a1b243516cc8fc7f5c3a33e364c718183a4872d145b7ab8d80a5c8b932d69229cae065318c06

      Download Submit

    • C:\Users\Admin\Desktop\Remote Administration Tool (RAT)\x64\fix.exe
      Filesize

      95KB

      MD5

      1f327a277466f1bb04aa5cfcd279c0f7

      SHA1

      9bcb7bbac28992b9c7c35ba0573dce7db32ca18f

      SHA256

      e8432406bc918c6ce0d245a3bc5bb8c021b218593f94b5d09ebcda7e549f1fc0

      SHA512

      82c750475dc42d974c3fd33a4329bce7e99a5c15bf88fe4e802627b321b6c91f78e8be4b82e72380ee34c4de407878d17b18af26d7f5667104fdc55020f68a9d

      Download Submit

    • memory/2364-44-0x000000007447E000-0x000000007447F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2364-45-0x0000000000970000-0x000000000098E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2364-46-0x0000000005BC0000-0x00000000061D8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2364-47-0x00000000053F0000-0x0000000005402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2364-48-0x0000000005450000-0x000000000548C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2364-49-0x0000000005490000-0x00000000054DC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2364-50-0x0000000074470000-0x0000000074C21000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2364-51-0x0000000005700000-0x000000000580A000-memory.dmp

      Filesize

      1.0MB

      Download