Overview

overview

10

Static

static

10

1fd972fa7b...e7.exe

windows7-x64

10

1fd972fa7b...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2023 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1fd972fa7b5d9b8b1457dd025aa1ffe7.exe

  • Size

    25.6MB

  • MD5

    1fd972fa7b5d9b8b1457dd025aa1ffe7

  • SHA1

    2879d38e0b6fe1b930fafbe6415b641b5efc68e4

  • SHA256

    520044b6e34ca534c0a4d97abd318a8db37169f18f8c1e385f3d5b79df9d025d

  • SHA512

    9f5869d6e6ae67559f5a82d0841307ac1b6d09946c5ba963964d6a01e1c9aa17a229bfe30ec67e72c7f514e21c585c8ad1369bb6100d1aa16de3f829e7f527e1

  • SSDEEP

    98304:ylQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxI:uQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRp

Score
10/10
auroraredlineshurklxixdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

LXIX

C2

5.35.33.167:17154

Attributes
  • auth_value

    3f30d9c8480a0830cfcc9a091fac5fca

Signatures

  • Aurora

    Aurora is a crypto wallet stealer written in Golang.

    stealeraurora
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer payload 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
    "C:\Users\Admin\AppData\Local\Temp\1fd972fa7b5d9b8b1457dd025aa1ffe7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Users\Admin\AppData\Local\Temp\Aurora.exe
      "C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
      2⤵
      • Executes dropped EXE
      PID:2796
    • C:\Users\Admin\AppData\Local\Temp\LXIX.exe
      "C:\Users\Admin\AppData\Local\Temp\LXIX.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Aurora.exe
    Filesize

    25.4MB

    MD5

    ad9aa927339dc830a38021afbe20a85f

    SHA1

    8017bea5f073064a27f61390ce6433cc110f55ea

    SHA256

    6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

    SHA512

    43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Aurora.exe
    Filesize

    25.4MB

    MD5

    ad9aa927339dc830a38021afbe20a85f

    SHA1

    8017bea5f073064a27f61390ce6433cc110f55ea

    SHA256

    6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

    SHA512

    43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Aurora.exe
    Filesize

    25.4MB

    MD5

    ad9aa927339dc830a38021afbe20a85f

    SHA1

    8017bea5f073064a27f61390ce6433cc110f55ea

    SHA256

    6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

    SHA512

    43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\LXIX.exe
    Filesize

    201KB

    MD5

    e25ed1abec99ab85498dbe0ac648875b

    SHA1

    739af601d9eaccae5bdc7c314d30de324f1a342b

    SHA256

    977536c6412d8d8e24310baf3515ff0992b3f29350587a0c8bcc1c279a849b6b

    SHA512

    4197d4d9248a87179055e4965a3bd543c892929378f896ef44209293b51775ba5270dd2967fe08971f4c712c2d735cbba9beee972ac0127247f1efdf2e88e6f3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\LXIX.exe
    Filesize

    201KB

    MD5

    e25ed1abec99ab85498dbe0ac648875b

    SHA1

    739af601d9eaccae5bdc7c314d30de324f1a342b

    SHA256

    977536c6412d8d8e24310baf3515ff0992b3f29350587a0c8bcc1c279a849b6b

    SHA512

    4197d4d9248a87179055e4965a3bd543c892929378f896ef44209293b51775ba5270dd2967fe08971f4c712c2d735cbba9beee972ac0127247f1efdf2e88e6f3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\LXIX.exe
    Filesize

    201KB

    MD5

    e25ed1abec99ab85498dbe0ac648875b

    SHA1

    739af601d9eaccae5bdc7c314d30de324f1a342b

    SHA256

    977536c6412d8d8e24310baf3515ff0992b3f29350587a0c8bcc1c279a849b6b

    SHA512

    4197d4d9248a87179055e4965a3bd543c892929378f896ef44209293b51775ba5270dd2967fe08971f4c712c2d735cbba9beee972ac0127247f1efdf2e88e6f3

    Download Submit
  • memory/1288-159-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1288-161-0x00000000051B0000-0x0000000005226000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1288-154-0x0000000073B90000-0x0000000074340000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1288-155-0x0000000005410000-0x0000000005A28000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1288-157-0x0000000004F00000-0x000000000500A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1288-158-0x0000000004E40000-0x0000000004E52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1288-153-0x00000000004B0000-0x00000000004E8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1288-171-0x0000000073B90000-0x0000000074340000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1288-160-0x0000000004EA0000-0x0000000004EDC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1288-169-0x0000000006530000-0x0000000006580000-memory.dmp
    Filesize

    320KB

    Download
  • memory/1288-162-0x00000000052D0000-0x0000000005362000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1288-163-0x0000000073B90000-0x0000000074340000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1288-164-0x0000000005230000-0x0000000005296000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1288-165-0x00000000065D0000-0x0000000006B74000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1288-166-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1288-167-0x0000000006D50000-0x0000000006F12000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1288-168-0x00000000076A0000-0x0000000007BCC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/2796-156-0x00007FF6F2A60000-0x00007FF6F436B000-memory.dmp
    Filesize

    25.0MB

    Download
  • memory/4692-152-0x0000000000400000-0x0000000001DAA000-memory.dmp
    Filesize

    25.7MB

    Download