Overview

overview

10

Static

static

GrandTheft...at.exe

windows7-x64

10

GrandTheft...at.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    11-08-2022 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GrandTheftAutoVcheat.exe

  • Size

    421KB

  • MD5

    58fc3bb157e30334818c6f8a184ed14a

  • SHA1

    e89d26ebdd8585840094db45d60968455bcfd822

  • SHA256

    0c30a372c59133044f5e0c6c7a4779515f64b2a3f03c0ee66549c3216873a1dd

  • SHA512

    91a4cfe6cbab2db859eec1c0e24da16c77d88d17d9355ada82ab4728cd7b522387c864a6c379313f75f1334d4e78322cc7808d25703f3c72bcc74e56438ad895

Score
10/10
redline@forumandiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

@foruman

C2

185.106.92.226:40788

Attributes
  • auth_value

    bd15c39173a26033961a0c806b2b4684

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GrandTheftAutoVcheat.exe
    "C:\Users\Admin\AppData\Local\Temp\GrandTheftAutoVcheat.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Users\Admin\AppData\Local\Temp\tmp84B.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp84B.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 44
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp84B.tmp.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmp84B.tmp.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmp84B.tmp.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmp84B.tmp.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmp84B.tmp.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmp84B.tmp.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • memory/848-58-0x0000000000000000-mapping.dmp
    Download
  • memory/944-54-0x000000013F8B0000-0x000000013F91E000-memory.dmp
    Filesize

    440KB

    Download
  • memory/944-55-0x0000000000880000-0x00000000008A0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1220-56-0x0000000000000000-mapping.dmp
    Download