Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
07-05-2023 09:04
Behavioral task
behavioral1
Sample
implosions.exe
Resource
win7-20230220-en
General
-
Target
implosions.exe
-
Size
95KB
-
MD5
7e2d328e7e2552be4a862e83f9c7177e
-
SHA1
7d80b8b70676053aaa9d652b721c574ad81b011f
-
SHA256
bdde06b2f10392b9c34fd2d03dc90c33542f96bdedd67b201dd0c782a1b4bf9b
-
SHA512
7019d5f9304c380fd6abb609ba78c912dabfc11196a99130ec647678977bf1e00a51bb9062c051620d4c77cb48ebd6c5df4d9fd7f0e13c0e71285d39c2d9cc4d
-
SSDEEP
1536:9qs+XqrzWBlbG6jejoigI343Ywzi0Zb78ivombfexv0ujXyyed2t3tmulgS6pY:r0gzWHY3+zi0ZbYe1g0ujyzdxY
Malware Config
Extracted
redline
cheat
95.214.27.27:33806
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1052-54-0x0000000000A00000-0x0000000000A1E000-memory.dmp family_redline behavioral1/memory/1052-55-0x0000000004820000-0x0000000004860000-memory.dmp family_redline behavioral1/memory/1052-77-0x0000000004820000-0x0000000004860000-memory.dmp family_redline -
SectopRAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1052-54-0x0000000000A00000-0x0000000000A1E000-memory.dmp family_sectoprat behavioral1/memory/1052-55-0x0000000004820000-0x0000000004860000-memory.dmp family_sectoprat behavioral1/memory/1052-77-0x0000000004820000-0x0000000004860000-memory.dmp family_sectoprat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
implosions.exepid process 1052 implosions.exe 1052 implosions.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
implosions.exedescription pid process Token: SeDebugPrivilege 1052 implosions.exe
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD56d08bf9c3c653acdf38bb837cb4634bc
SHA1f171a5ce04d67253ee2ef50d749e5940e4b83946
SHA2562a9e7046d1e4447ae01adcf18e1aadd5ac9df5743b540db34df8fb79b80ef1bf
SHA512a055321e6673e5afa1cef0bb12e46c56207c1eb90254e66f0ddc40c754ab48611b30b8aecc0214f7ce22a9758b764848f948ffe643d41861e2759c4d81e24f4e