Overview

overview

10

Static

static

10

build9exe.exe

windows7-x64

10

build9exe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2023 07:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    build9exe.exe

  • Size

    95KB

  • MD5

    2c5a75b7d24847bc5d206adb5c630a18

  • SHA1

    89ca4d98947ab1248c022d66a23279f04cca6bbf

  • SHA256

    dd09828ffbfdd784f83cac83641b8a0c3ca04b76becabb0ab5d170ad1bc169a7

  • SHA512

    2ff1ad476ea1c72f6e1cda33f601e2eae06ca87bf4554cd085e17512a88ad515e95d42706e8e0a2c2b1fe17c9e0f1c511ef1554333d17a7e6e111b1531acc789

  • SSDEEP

    1536:Fqs8haqpalbG6jejoigIP43Ywzi0Zb78ivombfexv0ujXyyed2YtmulgS6pQl:DiaKaYP+zi0ZbYe1g0ujyzdsQ

Score
10/10
redlinesectopratcryptoinfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

crypto

C2

163.123.142.235:61068

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\build9exe.exe
    "C:\Users\Admin\AppData\Local\Temp\build9exe.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4992
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:4364

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4992-133-0x00000000003E0000-0x00000000003FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4992-134-0x00000000052F0000-0x0000000005908000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4992-135-0x0000000004D80000-0x0000000004D92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4992-136-0x0000000004DE0000-0x0000000004E1C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4992-138-0x0000000005080000-0x000000000518A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4992-139-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4992-146-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

    Filesize

    64KB

    Download