Overview

overview

10

Static

static

10

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2024 22:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    95KB

  • MD5

    57935225dcb95b6ed9894d5d5e8b46a8

  • SHA1

    1daf36a8db0b79be94a41d27183e4904a1340990

  • SHA256

    79d7b0f170471f44ed6c07ddb4c4c9bb20c97235aef23ac052e692cb558a156d

  • SHA512

    1b6362bdb7f6b177773357f5fe8e7d7ee44716fd8e63e663e446f4e204af581491d05345c12cd9cca91fd249383817da21ef2241011cdc251b7e299560ea48c0

  • SSDEEP

    1536:9qskXqrzWBlbG6jejoigI343Ywzi0Zb78ivombfexv0ujXyyed2etmulgS6pY:rCgzWHY3+zi0ZbYe1g0ujyzdqY

Score
10/10
redlinesectopratexodusdiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

Exodus

C2

93.123.39.68:1334

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp65C0.tmp
    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp65E5.tmp
    Filesize

    2KB

    MD5

    e19b8ee1e5e805b5e514f59738d77642

    SHA1

    ca1389d6a848bf74f1c977b76312dfbdb21769fe

    SHA256

    66bc6651e2ec5880eacffdf14004837e912d1481420c2b24d48b0b0a872d6027

    SHA512

    20786098cd224f761db2b876eddc7ac98e5723d4e6483cb4c549d77a1586b6b30744541af4b7791c6d90003c21b6c25fb07a7ce8923bb1bcec1d63901409b71f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp6601.tmp
    Filesize

    48KB

    MD5

    349e6eb110e34a08924d92f6b334801d

    SHA1

    bdfb289daff51890cc71697b6322aa4b35ec9169

    SHA256

    c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

    SHA512

    2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp6616.tmp
    Filesize

    1KB

    MD5

    55f6abc8955b59465b3010241d2bca1c

    SHA1

    2cf5eb8a98b782b86695b2044aee53612e4c2ddc

    SHA256

    b666d00bfab1ab963ca5aca59afb9a9c2dbb983cacc64272b846209a2d407236

    SHA512

    2fa6ee9a974bde52cc022418acacd84317cb29c833ae4bea00cbf82cae24a1b3765b87f1633510f3b5592ef700790d071ff0fdcdd8c8f752b638b26e0c93baac

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp661C.tmp
    Filesize

    57KB

    MD5

    b557b628486b274863af68d3511e4478

    SHA1

    568687c621a12ba294f8e9116678465731f1c276

    SHA256

    fb6ef39773f4152ade00a12c08503b6d17890a8146703ca32609da4897b509ec

    SHA512

    1ede4919ab33c51a5a88da59490581a4e7c469c15d3dffeba10ead22618770350bd59679b9e3188109f67570bdc9996dbcc31e7c259915b0ff365b0787e5acf7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp6638.tmp
    Filesize

    96KB

    MD5

    d367ddfda80fdcf578726bc3b0bc3e3c

    SHA1

    23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

    SHA256

    0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

    SHA512

    40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

    Download Submit
  • memory/4936-6-0x00000000055B0000-0x00000000055FC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4936-12-0x0000000007010000-0x00000000070A2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4936-8-0x0000000006AF0000-0x0000000006CB2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4936-9-0x00000000071F0000-0x000000000771C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4936-10-0x0000000006A80000-0x0000000006AE6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4936-11-0x0000000007CD0000-0x0000000008274000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4936-13-0x00000000070B0000-0x0000000007126000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4936-7-0x0000000005810000-0x000000000591A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4936-14-0x0000000007170000-0x000000000718E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4936-5-0x0000000005500000-0x0000000005510000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4936-1-0x0000000074D60000-0x0000000075510000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4936-4-0x0000000005570000-0x00000000055AC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4936-3-0x0000000005510000-0x0000000005522000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4936-2-0x0000000005B30000-0x0000000006148000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4936-0-0x0000000000B40000-0x0000000000B5E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4936-194-0x0000000074D60000-0x0000000075510000-memory.dmp
    Filesize

    7.7MB

    Download