Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
26-02-2023 14:50
General
-
Target
RustMacros.exe
-
Size
433KB
-
MD5
41789be9f31e23d811d63f299213388c
-
SHA1
1ccc532526400d86c23a52f557b0b2658aa48244
-
SHA256
92c1262450cc6e53470e4aca37d4eaec1ffb55b1238883579ab3a76b5fbb7200
-
SHA512
3caec597f92887fe3ef0ef181d905096393896ead982a2b3b47019707dc5d65036956ce46c3c3fed8befe978ab937f23cc7097f8be49d2bdb73f873917184f59
-
SSDEEP
12288:1hqxSLo5C1Ps4XhH+trp8PkFs/yYXKvcgQ:1HLmCiIhmRFs5XKnQ
Malware Config
Extracted
redline
185.215.113.69:15544
-
auth_value
f8c95622a8bfe9810b6eb4a895933422
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Zingo stealer
Zingo is an info stealer first seen in March 2022.
-
Zingo stealer payload 4 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RustMacros.exe"C:\Users\Admin\AppData\Local\Temp\RustMacros.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RustMacros3.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\RustMacros3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vega.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vega.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BouncyCastle.Crypto.dllFilesize
2.5MB
MD5f0b3e112ce4807a28e2b5d66a840ed7f
SHA154a6743781fd4ceb720331fce92f16186931192d
SHA256333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c
SHA512dc8ec9754c5e86f7e54e75ff3e5859c1b057f90e9c41788037b944a5db2cb3b70060763d0efcbe55ec595bcc47a9c0ff847a4876821470ca1659c31afd5b0190
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RustMacros3.exeFilesize
258KB
MD552c6d988f68befbf3cb84fc5a8a3b63c
SHA16165d1de1478563eece863eda9c9bf7e6a294a17
SHA2560c1c450399afa9ec097a56a60c84c3d19a45cebab5f74445046b89fd61f7ca5f
SHA51232f792a80fede4c21644007f3a1c163edcd8777f9dd2a2b523560b7915a5c0d946b2cde95e06b44e3346d99ccc8c7b6e6c258a1666fe7570d3e4b6028101a622
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RustMacros3.exeFilesize
258KB
MD552c6d988f68befbf3cb84fc5a8a3b63c
SHA16165d1de1478563eece863eda9c9bf7e6a294a17
SHA2560c1c450399afa9ec097a56a60c84c3d19a45cebab5f74445046b89fd61f7ca5f
SHA51232f792a80fede4c21644007f3a1c163edcd8777f9dd2a2b523560b7915a5c0d946b2cde95e06b44e3346d99ccc8c7b6e6c258a1666fe7570d3e4b6028101a622
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RustMacros3.exeFilesize
258KB
MD552c6d988f68befbf3cb84fc5a8a3b63c
SHA16165d1de1478563eece863eda9c9bf7e6a294a17
SHA2560c1c450399afa9ec097a56a60c84c3d19a45cebab5f74445046b89fd61f7ca5f
SHA51232f792a80fede4c21644007f3a1c163edcd8777f9dd2a2b523560b7915a5c0d946b2cde95e06b44e3346d99ccc8c7b6e6c258a1666fe7570d3e4b6028101a622
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vega.exeFilesize
54KB
MD552813a94da680b341266991e046beffd
SHA1ca954e89ea93e198c976b4dbf844da9ce4d5fb5e
SHA25610be67e6243f8ff5165f644af06d955992f33da9779c7d946a1fe001b57c1829
SHA512106f76a5e338ea41abf0cf848e58103b13a974c156c50e376182a1daee4b12f0641ea3ac00093f099e2cd5ba47e6f2eadc97ae188dea48494f5e88e0cd1bab2f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vega.exeFilesize
54KB
MD552813a94da680b341266991e046beffd
SHA1ca954e89ea93e198c976b4dbf844da9ce4d5fb5e
SHA25610be67e6243f8ff5165f644af06d955992f33da9779c7d946a1fe001b57c1829
SHA512106f76a5e338ea41abf0cf848e58103b13a974c156c50e376182a1daee4b12f0641ea3ac00093f099e2cd5ba47e6f2eadc97ae188dea48494f5e88e0cd1bab2f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vega.exeFilesize
54KB
MD552813a94da680b341266991e046beffd
SHA1ca954e89ea93e198c976b4dbf844da9ce4d5fb5e
SHA25610be67e6243f8ff5165f644af06d955992f33da9779c7d946a1fe001b57c1829
SHA512106f76a5e338ea41abf0cf848e58103b13a974c156c50e376182a1daee4b12f0641ea3ac00093f099e2cd5ba47e6f2eadc97ae188dea48494f5e88e0cd1bab2f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\x64\SQLite.Interop.dllFilesize
1.7MB
MD556a504a34d2cfbfc7eaa2b68e34af8ad
SHA1426b48b0f3b691e3bb29f465aed9b936f29fc8cc
SHA2569309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
SHA512170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\x86\SQLite.Interop.dllFilesize
1.3MB
MD58be215abf1f36aa3d23555a671e7e3be
SHA1547d59580b7843f90aaca238012a8a0c886330e6
SHA25683f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
SHA51238cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\x86\SQLite.Interop.dllFilesize
1.3MB
MD58be215abf1f36aa3d23555a671e7e3be
SHA1547d59580b7843f90aaca238012a8a0c886330e6
SHA25683f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
SHA51238cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b
-
memory/232-212-0x0000000005670000-0x0000000005680000-memory.dmpFilesize
64KB
-
memory/232-190-0x0000000006660000-0x00000000066B0000-memory.dmpFilesize
320KB
-
memory/232-191-0x0000000007710000-0x0000000007732000-memory.dmpFilesize
136KB
-
memory/232-195-0x0000000007870000-0x00000000078D2000-memory.dmpFilesize
392KB
-
memory/232-187-0x00000000077C0000-0x0000000007870000-memory.dmpFilesize
704KB
-
memory/232-163-0x0000000000D90000-0x0000000000DA4000-memory.dmpFilesize
80KB
-
memory/232-167-0x0000000005670000-0x0000000005680000-memory.dmpFilesize
64KB
-
memory/232-219-0x0000000009210000-0x000000000928A000-memory.dmpFilesize
488KB
-
memory/232-201-0x0000000008050000-0x000000000808C000-memory.dmpFilesize
240KB
-
memory/3812-213-0x0000000005300000-0x0000000005310000-memory.dmpFilesize
64KB
-
memory/3812-179-0x0000000005380000-0x00000000053E6000-memory.dmpFilesize
408KB
-
memory/3812-211-0x0000000007230000-0x000000000775C000-memory.dmpFilesize
5.2MB
-
memory/3812-169-0x0000000005030000-0x000000000506C000-memory.dmpFilesize
240KB
-
memory/3812-202-0x0000000006B30000-0x0000000006CF2000-memory.dmpFilesize
1.8MB
-
memory/3812-168-0x0000000005300000-0x0000000005310000-memory.dmpFilesize
64KB
-
memory/3812-180-0x0000000005F30000-0x0000000005FC2000-memory.dmpFilesize
584KB
-
memory/3812-166-0x0000000004FD0000-0x0000000004FE2000-memory.dmpFilesize
72KB
-
memory/3812-165-0x00000000050A0000-0x00000000051AA000-memory.dmpFilesize
1.0MB
-
memory/3812-164-0x0000000005570000-0x0000000005B88000-memory.dmpFilesize
6.1MB
-
memory/3812-181-0x0000000006580000-0x0000000006B24000-memory.dmpFilesize
5.6MB
-
memory/3812-148-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB