Analysis
-
max time kernel
149s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 20:07
Behavioral task
behavioral1
Sample
panel.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
panel.exe
Resource
win10v2004-20230220-en
General
-
Target
panel.exe
-
Size
170KB
-
MD5
470a8267b5eba7eb998d9fa69532f849
-
SHA1
1152ddb2ab93aae9983e3e8b5c4f367875323e3e
-
SHA256
6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e
-
SHA512
5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d
-
SSDEEP
3072:O+STW8djpN6izj8mZwHQiWZqswqIPu/i9b+J2cOZTMi56+WpL:z8XN6W8mmdUwXPSi9b2c3
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendMessage?chat_id=5529838804
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/1956-136-0x0000000005B80000-0x0000000005BE6000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/1956-133-0x0000000000DF0000-0x0000000000E20000-memory.dmp family_stormkitty -
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/1956-133-0x0000000000DF0000-0x0000000000E20000-memory.dmp asyncrat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\0d190aa2d37c1d60bc2efbca4cf6b02b\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini panel.exe File created C:\Users\Admin\AppData\Local\0d190aa2d37c1d60bc2efbca4cf6b02b\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini panel.exe File created C:\Users\Admin\AppData\Local\0d190aa2d37c1d60bc2efbca4cf6b02b\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini panel.exe File created C:\Users\Admin\AppData\Local\0d190aa2d37c1d60bc2efbca4cf6b02b\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini panel.exe File opened for modification C:\Users\Admin\AppData\Local\0d190aa2d37c1d60bc2efbca4cf6b02b\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini panel.exe File opened for modification C:\Users\Admin\AppData\Local\0d190aa2d37c1d60bc2efbca4cf6b02b\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini panel.exe File created C:\Users\Admin\AppData\Local\0d190aa2d37c1d60bc2efbca4cf6b02b\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini panel.exe File created C:\Users\Admin\AppData\Local\0d190aa2d37c1d60bc2efbca4cf6b02b\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini panel.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 56 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 panel.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier panel.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe 1956 panel.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1956 panel.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2212 1956 panel.exe 87 PID 1956 wrote to memory of 2212 1956 panel.exe 87 PID 1956 wrote to memory of 2212 1956 panel.exe 87 PID 2212 wrote to memory of 4796 2212 cmd.exe 89 PID 2212 wrote to memory of 4796 2212 cmd.exe 89 PID 2212 wrote to memory of 4796 2212 cmd.exe 89 PID 2212 wrote to memory of 1088 2212 cmd.exe 90 PID 2212 wrote to memory of 1088 2212 cmd.exe 90 PID 2212 wrote to memory of 1088 2212 cmd.exe 90 PID 2212 wrote to memory of 1148 2212 cmd.exe 91 PID 2212 wrote to memory of 1148 2212 cmd.exe 91 PID 2212 wrote to memory of 1148 2212 cmd.exe 91 PID 1956 wrote to memory of 3324 1956 panel.exe 93 PID 1956 wrote to memory of 3324 1956 panel.exe 93 PID 1956 wrote to memory of 3324 1956 panel.exe 93 PID 3324 wrote to memory of 4756 3324 cmd.exe 95 PID 3324 wrote to memory of 4756 3324 cmd.exe 95 PID 3324 wrote to memory of 4756 3324 cmd.exe 95 PID 3324 wrote to memory of 2392 3324 cmd.exe 96 PID 3324 wrote to memory of 2392 3324 cmd.exe 96 PID 3324 wrote to memory of 2392 3324 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\panel.exe"C:\Users\Admin\AppData\Local\Temp\panel.exe"1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:4796
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵PID:1088
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵PID:1148
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:4756
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵PID:2392
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\0d190aa2d37c1d60bc2efbca4cf6b02b\Admin@ROBKQPFG_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\0d190aa2d37c1d60bc2efbca4cf6b02b\Admin@ROBKQPFG_en-US\System\Process.txt
Filesize4KB
MD5fa4ce21358a2a8e505335c281c2d9a10
SHA14341fbdd6ae5f9a9eab36e91153b849163a8de11
SHA256d52d5ee16cbeaf78323955fbd458ed6cd62ea9613343a0261dd0b29ddfb59275
SHA5122e5418c644ca8d882526ab20d0423e40bc821ad2b9e45de15e87e9381fc5c98945b1d45e8f27819e280dee6bc9de0d152df49f7dc736f042e79e7e81f6f06db4
-
Filesize
4B
MD532b3ee0272954b956a7d1f86f76afa21
SHA13eaf3c4852eb47b67a2e8e02b825b3f492db6d59
SHA256dfc04c940f3b91d8a8316579ecd027fb98be2ead43b0a0bacf78a12babae4d05
SHA51283d24c6f19496c1c32409cd7be2dab0de63d638818440fae5bc60c7156353c2692fdece32a271ef9a777370c8cb4ec0aeb798d46e92ce5273a27cc9c96697ad9