Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
17-01-2024 19:34
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231215-en
General
-
Target
file.exe
-
Size
2.8MB
-
MD5
a95b7d1ef3c4f8932fa97c287dd54c70
-
SHA1
771e6c19fb90aa257f748c41539725f71ca96970
-
SHA256
a91ab913b292db7d5791d76bcf96303ce16bddcf84e631ba109a0f0c2eb9563b
-
SHA512
79ed2066fdfa31b9a6045bdbabf0b58b071c0aa947b32a4a585c20892dc6dea62ed6626ec7546cfc2d46c5d356b71b336214c7cd529aa14fb89f83f004ce1e1d
-
SSDEEP
24576:4oT0RJ0DfNYx0UqU6OOPSxjQmTOcSc9rvjlaWDXvoZWiUI6bp8psQ0wct/VWv2yP:4f/0hYjqUGPcQOOcvjQWDoZ/p6afZux
Malware Config
Extracted
redline
Exodus
94.156.66.169:1334
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Default
94.156.66.169:4449
qjqbhebpmrzg
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2364-6-0x0000000000080000-0x000000000009E000-memory.dmp family_redline behavioral1/memory/2364-12-0x0000000000080000-0x000000000009E000-memory.dmp family_redline behavioral1/memory/2364-10-0x0000000000080000-0x000000000009E000-memory.dmp family_redline -
SectopRAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2364-6-0x0000000000080000-0x000000000009E000-memory.dmp family_sectoprat behavioral1/memory/2364-12-0x0000000000080000-0x000000000009E000-memory.dmp family_sectoprat behavioral1/memory/2364-10-0x0000000000080000-0x000000000009E000-memory.dmp family_sectoprat -
Async RAT payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asdfads.exe asyncrat behavioral1/memory/2212-136-0x0000000000180000-0x0000000000198000-memory.dmp asyncrat -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
asdfads.exepid process 2212 asdfads.exe -
Loads dropped DLL 1 IoCs
Processes:
jsc.exepid process 2364 jsc.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 1564 set thread context of 2364 1564 file.exe jsc.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
jsc.exeasdfads.exepid process 2364 jsc.exe 2364 jsc.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe 2212 asdfads.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jsc.exeasdfads.exedescription pid process Token: SeDebugPrivilege 2364 jsc.exe Token: SeDebugPrivilege 2212 asdfads.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
asdfads.exepid process 2212 asdfads.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
file.exejsc.exedescription pid process target process PID 1564 wrote to memory of 2364 1564 file.exe jsc.exe PID 1564 wrote to memory of 2364 1564 file.exe jsc.exe PID 1564 wrote to memory of 2364 1564 file.exe jsc.exe PID 1564 wrote to memory of 2364 1564 file.exe jsc.exe PID 1564 wrote to memory of 2364 1564 file.exe jsc.exe PID 1564 wrote to memory of 2364 1564 file.exe jsc.exe PID 2364 wrote to memory of 2212 2364 jsc.exe asdfads.exe PID 2364 wrote to memory of 2212 2364 jsc.exe asdfads.exe PID 2364 wrote to memory of 2212 2364 jsc.exe asdfads.exe PID 2364 wrote to memory of 2212 2364 jsc.exe asdfads.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asdfads.exe"C:\Users\Admin\AppData\Local\Temp\asdfads.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Cab6856.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar6869.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\tmp6A42.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp6A57.tmpFilesize
92KB
MD51a99d0ce63b1ab78ddbb5a7bf06560a2
SHA1a09f03e92d5145b43ca275fcbba74d022337a5c3
SHA256991340ed225d8fdffb7c54a0787cf1f825951c26e81e43df92e68e397dd66741
SHA512abd39738999951e60c213d0045447f95390fa469f8c875ff6d4e30d8d97d405245d1f6264464a996bae43c3095cf6bd8643d3f07c45e7341f7e840877d501080
-
\Users\Admin\AppData\Local\Temp\asdfads.exeFilesize
73KB
MD5a042db8045036de713193f079fe61d6f
SHA110cbda77553e4d1441c0d7d81c838dd41307c751
SHA256658d8cc670cfd05ce62ccfbde1885db5e5581a658c2fae67b96c01f4fdf6957a
SHA512824bf3a4f3d0a9a3dc691d877dd3a3944e3856ab1cb703292e8f1ab7e7def9bae8717807d19c54760bdbd3465fc603bfe0f8ecf3bd0e630c463477a45d170807
-
memory/1564-8-0x000000013F6B0000-0x000000013F9D7000-memory.dmpFilesize
3.2MB
-
memory/2212-139-0x000000001B0D0000-0x000000001B150000-memory.dmpFilesize
512KB
-
memory/2212-136-0x0000000000180000-0x0000000000198000-memory.dmpFilesize
96KB
-
memory/2212-144-0x0000000076CC0000-0x0000000076E69000-memory.dmpFilesize
1.7MB
-
memory/2212-143-0x000000001B0D0000-0x000000001B150000-memory.dmpFilesize
512KB
-
memory/2212-142-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmpFilesize
9.9MB
-
memory/2212-141-0x0000000076CC0000-0x0000000076E69000-memory.dmpFilesize
1.7MB
-
memory/2212-138-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmpFilesize
9.9MB
-
memory/2364-12-0x0000000000080000-0x000000000009E000-memory.dmpFilesize
120KB
-
memory/2364-6-0x0000000000080000-0x000000000009E000-memory.dmpFilesize
120KB
-
memory/2364-4-0x0000000000080000-0x000000000009E000-memory.dmpFilesize
120KB
-
memory/2364-140-0x0000000073DC0000-0x00000000744AE000-memory.dmpFilesize
6.9MB
-
memory/2364-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2364-14-0x0000000001F70000-0x0000000001FB0000-memory.dmpFilesize
256KB
-
memory/2364-10-0x0000000000080000-0x000000000009E000-memory.dmpFilesize
120KB
-
memory/2364-13-0x0000000073DC0000-0x00000000744AE000-memory.dmpFilesize
6.9MB