Overview
overview
10Static
static
1RustMacros.exe
windows7-x64
10RustMacros.exe
windows10-2004-x64
10adblib32.dll
windows7-x64
1adblib32.dll
windows10-2004-x64
1libquadmath-0.dll
windows7-x64
3libquadmath-0.dll
windows10-2004-x64
3unrar.dll
windows7-x64
3unrar.dll
windows10-2004-x64
3xca.dll
windows7-x64
1xca.dll
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2023 14:50
Static task
static1
Behavioral task
behavioral1
Sample
RustMacros.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
RustMacros.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
adblib32.dll
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
adblib32.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
libquadmath-0.dll
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
libquadmath-0.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
unrar.dll
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
unrar.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
xca.dll
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
xca.dll
Resource
win10v2004-20230220-en
General
-
Target
RustMacros.exe
-
Size
433KB
-
MD5
41789be9f31e23d811d63f299213388c
-
SHA1
1ccc532526400d86c23a52f557b0b2658aa48244
-
SHA256
92c1262450cc6e53470e4aca37d4eaec1ffb55b1238883579ab3a76b5fbb7200
-
SHA512
3caec597f92887fe3ef0ef181d905096393896ead982a2b3b47019707dc5d65036956ce46c3c3fed8befe978ab937f23cc7097f8be49d2bdb73f873917184f59
-
SSDEEP
12288:1hqxSLo5C1Ps4XhH+trp8PkFs/yYXKvcgQ:1HLmCiIhmRFs5XKnQ
Malware Config
Extracted
redline
185.215.113.69:15544
-
auth_value
f8c95622a8bfe9810b6eb4a895933422
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Zingo stealer payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vega.exe family_zingo C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vega.exe family_zingo C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vega.exe family_zingo behavioral2/memory/232-163-0x0000000000D90000-0x0000000000DA4000-memory.dmp family_zingo -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RustMacros.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation RustMacros.exe -
Executes dropped EXE 2 IoCs
Processes:
RustMacros3.exeVega.exepid process 1668 RustMacros3.exe 232 Vega.exe -
Loads dropped DLL 7 IoCs
Processes:
Vega.exepid process 232 Vega.exe 232 Vega.exe 232 Vega.exe 232 Vega.exe 232 Vega.exe 232 Vega.exe 232 Vega.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 freegeoip.app 16 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RustMacros3.exedescription pid process target process PID 1668 set thread context of 3812 1668 RustMacros3.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Vega.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Vega.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Vega.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 3812 AppLaunch.exe 3812 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Vega.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 232 Vega.exe Token: SeDebugPrivilege 3812 AppLaunch.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
RustMacros.exeRustMacros3.exedescription pid process target process PID 4772 wrote to memory of 1668 4772 RustMacros.exe RustMacros3.exe PID 4772 wrote to memory of 1668 4772 RustMacros.exe RustMacros3.exe PID 4772 wrote to memory of 1668 4772 RustMacros.exe RustMacros3.exe PID 1668 wrote to memory of 3812 1668 RustMacros3.exe AppLaunch.exe PID 1668 wrote to memory of 3812 1668 RustMacros3.exe AppLaunch.exe PID 1668 wrote to memory of 3812 1668 RustMacros3.exe AppLaunch.exe PID 1668 wrote to memory of 3812 1668 RustMacros3.exe AppLaunch.exe PID 1668 wrote to memory of 3812 1668 RustMacros3.exe AppLaunch.exe PID 4772 wrote to memory of 232 4772 RustMacros.exe Vega.exe PID 4772 wrote to memory of 232 4772 RustMacros.exe Vega.exe PID 4772 wrote to memory of 232 4772 RustMacros.exe Vega.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RustMacros.exe"C:\Users\Admin\AppData\Local\Temp\RustMacros.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RustMacros3.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\RustMacros3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3812
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vega.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vega.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:232
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5f0b3e112ce4807a28e2b5d66a840ed7f
SHA154a6743781fd4ceb720331fce92f16186931192d
SHA256333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c
SHA512dc8ec9754c5e86f7e54e75ff3e5859c1b057f90e9c41788037b944a5db2cb3b70060763d0efcbe55ec595bcc47a9c0ff847a4876821470ca1659c31afd5b0190
-
Filesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
Filesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
Filesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
Filesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
Filesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
Filesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
Filesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
Filesize
258KB
MD552c6d988f68befbf3cb84fc5a8a3b63c
SHA16165d1de1478563eece863eda9c9bf7e6a294a17
SHA2560c1c450399afa9ec097a56a60c84c3d19a45cebab5f74445046b89fd61f7ca5f
SHA51232f792a80fede4c21644007f3a1c163edcd8777f9dd2a2b523560b7915a5c0d946b2cde95e06b44e3346d99ccc8c7b6e6c258a1666fe7570d3e4b6028101a622
-
Filesize
258KB
MD552c6d988f68befbf3cb84fc5a8a3b63c
SHA16165d1de1478563eece863eda9c9bf7e6a294a17
SHA2560c1c450399afa9ec097a56a60c84c3d19a45cebab5f74445046b89fd61f7ca5f
SHA51232f792a80fede4c21644007f3a1c163edcd8777f9dd2a2b523560b7915a5c0d946b2cde95e06b44e3346d99ccc8c7b6e6c258a1666fe7570d3e4b6028101a622
-
Filesize
258KB
MD552c6d988f68befbf3cb84fc5a8a3b63c
SHA16165d1de1478563eece863eda9c9bf7e6a294a17
SHA2560c1c450399afa9ec097a56a60c84c3d19a45cebab5f74445046b89fd61f7ca5f
SHA51232f792a80fede4c21644007f3a1c163edcd8777f9dd2a2b523560b7915a5c0d946b2cde95e06b44e3346d99ccc8c7b6e6c258a1666fe7570d3e4b6028101a622
-
Filesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
Filesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
Filesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
Filesize
54KB
MD552813a94da680b341266991e046beffd
SHA1ca954e89ea93e198c976b4dbf844da9ce4d5fb5e
SHA25610be67e6243f8ff5165f644af06d955992f33da9779c7d946a1fe001b57c1829
SHA512106f76a5e338ea41abf0cf848e58103b13a974c156c50e376182a1daee4b12f0641ea3ac00093f099e2cd5ba47e6f2eadc97ae188dea48494f5e88e0cd1bab2f
-
Filesize
54KB
MD552813a94da680b341266991e046beffd
SHA1ca954e89ea93e198c976b4dbf844da9ce4d5fb5e
SHA25610be67e6243f8ff5165f644af06d955992f33da9779c7d946a1fe001b57c1829
SHA512106f76a5e338ea41abf0cf848e58103b13a974c156c50e376182a1daee4b12f0641ea3ac00093f099e2cd5ba47e6f2eadc97ae188dea48494f5e88e0cd1bab2f
-
Filesize
54KB
MD552813a94da680b341266991e046beffd
SHA1ca954e89ea93e198c976b4dbf844da9ce4d5fb5e
SHA25610be67e6243f8ff5165f644af06d955992f33da9779c7d946a1fe001b57c1829
SHA512106f76a5e338ea41abf0cf848e58103b13a974c156c50e376182a1daee4b12f0641ea3ac00093f099e2cd5ba47e6f2eadc97ae188dea48494f5e88e0cd1bab2f
-
Filesize
1.7MB
MD556a504a34d2cfbfc7eaa2b68e34af8ad
SHA1426b48b0f3b691e3bb29f465aed9b936f29fc8cc
SHA2569309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
SHA512170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7
-
Filesize
1.3MB
MD58be215abf1f36aa3d23555a671e7e3be
SHA1547d59580b7843f90aaca238012a8a0c886330e6
SHA25683f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
SHA51238cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b
-
Filesize
1.3MB
MD58be215abf1f36aa3d23555a671e7e3be
SHA1547d59580b7843f90aaca238012a8a0c886330e6
SHA25683f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
SHA51238cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b