Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    07-03-2023 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    206KB

  • MD5

    307ce80121e9db63857ffbcc6e6f413e

  • SHA1

    9721de97ac9d1ff4b6224fff96700acdc2a51984

  • SHA256

    70b1cf50a59c123dacf50e8f9356e0b65c850e05aa2511bb8d5556b87ce12f8e

  • SHA512

    fc3ec1a3c8acf148051d74bec02caf5ffdd7428d271ce7f56eed8a2b78ef7014c69300d1c704861370b255e361b35daade8fb3da0dcd914d462311e5ce171961

  • SSDEEP

    6144:PYa6O699YTGIehAlmP4+LOmt4qTGu9E2kw3mP:PYA6OpeK+LO2TT/91k/P

Score
10/10
redlinesectopratcheatdiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

193.47.61.37:38369

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Users\Admin\AppData\Local\Temp\rrgfoacgb.exe
      "C:\Users\Admin\AppData\Local\Temp\rrgfoacgb.exe" C:\Users\Admin\AppData\Local\Temp\sfrwbk.h
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Users\Admin\AppData\Local\Temp\rrgfoacgb.exe
        "C:\Users\Admin\AppData\Local\Temp\rrgfoacgb.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rrgfoacgb.exe
    Filesize

    6KB

    MD5

    cbf7a3da7ae08e09c502c0c3d8f53341

    SHA1

    42b21a5e6b898adf8d3f7e6a86ef708528625d72

    SHA256

    8ec95a918373228d8ed14db19a1e4c546ebdb03245340036dd2b06214ee3185f

    SHA512

    4468dc1f1b67da1736cf6e9236c628f44ff7af025cb0364c734c55c6689ec2395c6c60efc89e67bd62e759e6f258515a5ce12703844779b2941fa22d98aff665

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\rrgfoacgb.exe
    Filesize

    6KB

    MD5

    cbf7a3da7ae08e09c502c0c3d8f53341

    SHA1

    42b21a5e6b898adf8d3f7e6a86ef708528625d72

    SHA256

    8ec95a918373228d8ed14db19a1e4c546ebdb03245340036dd2b06214ee3185f

    SHA512

    4468dc1f1b67da1736cf6e9236c628f44ff7af025cb0364c734c55c6689ec2395c6c60efc89e67bd62e759e6f258515a5ce12703844779b2941fa22d98aff665

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\rrgfoacgb.exe
    Filesize

    6KB

    MD5

    cbf7a3da7ae08e09c502c0c3d8f53341

    SHA1

    42b21a5e6b898adf8d3f7e6a86ef708528625d72

    SHA256

    8ec95a918373228d8ed14db19a1e4c546ebdb03245340036dd2b06214ee3185f

    SHA512

    4468dc1f1b67da1736cf6e9236c628f44ff7af025cb0364c734c55c6689ec2395c6c60efc89e67bd62e759e6f258515a5ce12703844779b2941fa22d98aff665

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\rrgfoacgb.exe
    Filesize

    6KB

    MD5

    cbf7a3da7ae08e09c502c0c3d8f53341

    SHA1

    42b21a5e6b898adf8d3f7e6a86ef708528625d72

    SHA256

    8ec95a918373228d8ed14db19a1e4c546ebdb03245340036dd2b06214ee3185f

    SHA512

    4468dc1f1b67da1736cf6e9236c628f44ff7af025cb0364c734c55c6689ec2395c6c60efc89e67bd62e759e6f258515a5ce12703844779b2941fa22d98aff665

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\sfrwbk.h
    Filesize

    5KB

    MD5

    539dc88b476d838ab32cffbbd7f33119

    SHA1

    7984f24b9f4c24227bd21d5f0f6229892baf5276

    SHA256

    7df8cd18e6c94fb288b7286bd857a72b1b871e6e37a3be89184bcc9ab5bc2f92

    SHA512

    14099ad263918e9c1af855668e1f5297c103959a90d6456206b0732c5d5800fd82f79a7cc634abaa6799754a2f759f030d254097fe68c72cdcb4a7919824ced0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp45D9.tmp
    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp461E.tmp
    Filesize

    92KB

    MD5

    d6492f228d1417a459765d7b9657cbba

    SHA1

    ef73426c3634a16ac6c15803633e77035abd032c

    SHA256

    75fbdce4223e0df5805b3fddc158d6c955b34b2112ed83d9967e731cc9f8cfb7

    SHA512

    50c5c6955ac90ccc1602bc32fc2d03808f42fbde7be46c681d7b7e99eb4cfe222a868c6c73728e4afce1b5904d7b2148c29ed5b177c38a5c1bfaf047e86b5613

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ujpwrdckn.mu
    Filesize

    193KB

    MD5

    af97c7480ebf09c4f55bdfd2d151be6e

    SHA1

    24acb91a4245db415b380d68a2718c74496673cb

    SHA256

    b1f419510b5afd191caff80bcfd3d7df728e9ada37f173b10dcc0edfa61f5b9d

    SHA512

    673f308a3876aad3839046a37242bef07d9717ec941bbacf27c3b0000868a7ec88eb8964982d1dd79557ecb30d5a361558691ab25729660b8ceac77a0027ff8e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\rrgfoacgb.exe
    Filesize

    6KB

    MD5

    cbf7a3da7ae08e09c502c0c3d8f53341

    SHA1

    42b21a5e6b898adf8d3f7e6a86ef708528625d72

    SHA256

    8ec95a918373228d8ed14db19a1e4c546ebdb03245340036dd2b06214ee3185f

    SHA512

    4468dc1f1b67da1736cf6e9236c628f44ff7af025cb0364c734c55c6689ec2395c6c60efc89e67bd62e759e6f258515a5ce12703844779b2941fa22d98aff665

    Download Submit
  • \Users\Admin\AppData\Local\Temp\rrgfoacgb.exe
    Filesize

    6KB

    MD5

    cbf7a3da7ae08e09c502c0c3d8f53341

    SHA1

    42b21a5e6b898adf8d3f7e6a86ef708528625d72

    SHA256

    8ec95a918373228d8ed14db19a1e4c546ebdb03245340036dd2b06214ee3185f

    SHA512

    4468dc1f1b67da1736cf6e9236c628f44ff7af025cb0364c734c55c6689ec2395c6c60efc89e67bd62e759e6f258515a5ce12703844779b2941fa22d98aff665

    Download Submit
  • \Users\Admin\AppData\Local\Temp\rrgfoacgb.exe
    Filesize

    6KB

    MD5

    cbf7a3da7ae08e09c502c0c3d8f53341

    SHA1

    42b21a5e6b898adf8d3f7e6a86ef708528625d72

    SHA256

    8ec95a918373228d8ed14db19a1e4c546ebdb03245340036dd2b06214ee3185f

    SHA512

    4468dc1f1b67da1736cf6e9236c628f44ff7af025cb0364c734c55c6689ec2395c6c60efc89e67bd62e759e6f258515a5ce12703844779b2941fa22d98aff665

    Download Submit
  • memory/1944-69-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1944-76-0x0000000004830000-0x0000000004870000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1944-75-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1944-74-0x0000000000230000-0x000000000024E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1944-73-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1944-164-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download