Overview

overview

10

Static

static

proton free.exe

windows7-x64

10

proton free.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    46s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-08-2022 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    proton free.exe

  • Size

    2.4MB

  • MD5

    ba0fcc475c2ae5390cc58b8311141747

  • SHA1

    cb3fa75cd34dce89b0adeb6ecac6c87f0f6629f5

  • SHA256

    7f75065513270ddbfef0c8b2fea3a5a4b8023cbca6ca746929bc9cf888d96b78

  • SHA512

    7bf633fad60e61a4cf888ba797761345322c32eb890e575b8348b6db9e3236021328ee75836a98a09a9ecccb60fa6cf8442541009e7f5141d288b5f0b51f1017

  • SSDEEP

    24576:MSPlYgvYcYYFTbY8M6UltHMCETI1Rj+hO5AlyHoZLClwLVSJVVgRdNa5CJl3RuQV:MaYMJk1bHoZLClwsSJl31

Score
10/10
redlineytstealerubicainfostealerspywarestealerupx

Malware Config

Extracted

Family

redline

Botnet

ubica

C2

185.106.92.228:24221

Attributes
  • auth_value

    abace2a6ba4a747fd979f4ce8da5f1d0

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • YTStealer

    YTStealer is a malware designed to steal YouTube authentication cookies.

    stealerytstealer
  • YTStealer payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\proton free.exe
    "C:\Users\Admin\AppData\Local\Temp\proton free.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:148596
      • C:\Users\Admin\AppData\Local\Temp\123.exe
        "C:\Users\Admin\AppData\Local\Temp\123.exe"
        3⤵
        • Executes dropped EXE
        PID:148860

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\123.exe
    Filesize

    4.0MB

    MD5

    54d16b2bd83331c4512e3392271ac098

    SHA1

    313327e368810eae000d565f642a33ae3fc47fef

    SHA256

    cecc58f7e5b69e0b2159f68ca5ee38f36b59a0adbe36f8a93e791f8788488fb5

    SHA512

    9a613dd5e73d001e7a5fc71433619c6ffe7f1208b4930652e8a3c5e34330e7c7baf588a1386126d4a131041ad6162dfb390a3174f3cf511eaada1d00b4c314b3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\123.exe
    Filesize

    4.0MB

    MD5

    54d16b2bd83331c4512e3392271ac098

    SHA1

    313327e368810eae000d565f642a33ae3fc47fef

    SHA256

    cecc58f7e5b69e0b2159f68ca5ee38f36b59a0adbe36f8a93e791f8788488fb5

    SHA512

    9a613dd5e73d001e7a5fc71433619c6ffe7f1208b4930652e8a3c5e34330e7c7baf588a1386126d4a131041ad6162dfb390a3174f3cf511eaada1d00b4c314b3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\123.exe
    Filesize

    4.0MB

    MD5

    54d16b2bd83331c4512e3392271ac098

    SHA1

    313327e368810eae000d565f642a33ae3fc47fef

    SHA256

    cecc58f7e5b69e0b2159f68ca5ee38f36b59a0adbe36f8a93e791f8788488fb5

    SHA512

    9a613dd5e73d001e7a5fc71433619c6ffe7f1208b4930652e8a3c5e34330e7c7baf588a1386126d4a131041ad6162dfb390a3174f3cf511eaada1d00b4c314b3

    Download Submit
  • memory/1836-63-0x0000000000400000-0x000000000055D000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/148596-65-0x0000000075771000-0x0000000075773000-memory.dmp
    Filesize

    8KB

    Download
  • memory/148596-62-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/148596-54-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/148596-64-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/148596-61-0x000000000041ADB6-mapping.dmp
    Download
  • memory/148596-56-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/148860-68-0x0000000000000000-mapping.dmp
    Download
  • memory/148860-70-0x0000000000230000-0x0000000001042000-memory.dmp
    Filesize

    14.1MB

    Download
  • memory/148860-71-0x0000000000230000-0x0000000001042000-memory.dmp
    Filesize

    14.1MB

    Download