Analysis
-
max time kernel
61s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2024 10:06
Static task
static1
Behavioral task
behavioral1
Sample
installerV2.rar
Resource
win10v2004-20231215-en
General
-
Target
installerV2.rar
-
Size
109.2MB
-
MD5
c0e7e4afe60cb81f513e6037a692b6d3
-
SHA1
fc8ac256ebc4065cfdfa2d073eb5b081fee2045c
-
SHA256
a230fc03c202928b2f7ce173273bd314ca5ebd1c59a16b6cfb36440b585fc756
-
SHA512
fce28b01da4d5773b238c581a737b61ea88197c3b5dc7456e2d17f9699e8e5a78a19cc64d6a57a4a417943dd9a433aa7010b582dfb4b24c492def4bb6b187268
-
SSDEEP
1572864:e5k/y9dDXB6x9A6fiObagxD3ImGugnp/rWH2mtSt5tnfeAJIQDLw4nBsEJQQEimN:GbdDXB6jfdtiaPtS9nfVIQvwGWEJQunw
Malware Config
Extracted
redline
45.15.156.142:33597
Signatures
-
Detect Poverty Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1096-105-0x0000000000340000-0x000000000034A000-memory.dmp family_povertystealer behavioral1/memory/1096-108-0x0000000000340000-0x000000000034A000-memory.dmp family_povertystealer behavioral1/memory/1096-110-0x0000000000340000-0x000000000034A000-memory.dmp family_povertystealer -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3132-80-0x0000000001240000-0x0000000001294000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
setup.exeInstaller.exepid process 3132 setup.exe 3580 Installer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Installer.exedescription pid process target process PID 3580 set thread context of 1096 3580 Installer.exe ADelRCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
setup.exepid process 3132 setup.exe 3132 setup.exe 3132 setup.exe 3132 setup.exe 3132 setup.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 1592 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zFM.exesetup.exedescription pid process Token: SeRestorePrivilege 1592 7zFM.exe Token: 35 1592 7zFM.exe Token: SeSecurityPrivilege 1592 7zFM.exe Token: SeDebugPrivilege 3132 setup.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid process 1592 7zFM.exe 1592 7zFM.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exeInstaller.exedescription pid process target process PID 3672 wrote to memory of 1592 3672 cmd.exe 7zFM.exe PID 3672 wrote to memory of 1592 3672 cmd.exe 7zFM.exe PID 3580 wrote to memory of 1096 3580 Installer.exe ADelRCP.exe PID 3580 wrote to memory of 1096 3580 Installer.exe ADelRCP.exe PID 3580 wrote to memory of 1096 3580 Installer.exe ADelRCP.exe PID 3580 wrote to memory of 1096 3580 Installer.exe ADelRCP.exe PID 3580 wrote to memory of 1096 3580 Installer.exe ADelRCP.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\installerV2.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\installerV2.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1592
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4944
-
C:\Users\Admin\Desktop\installerV2\setup.exe"C:\Users\Admin\Desktop\installerV2\setup.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
C:\Users\Admin\Desktop\installerV2\Installer.exe"C:\Users\Admin\Desktop\installerV2\Installer.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"2⤵PID:1096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD54e0569b68960318b7dfe53dbe6832840
SHA181cab18b8085fc3652cdc0d9f10efd3068237b22
SHA25615da2b5b7039dbd5616a9ff42b451df830197df2f8e72e7b208047ed32183329
SHA512144583181e37a57c2f375acb5c16c27309f21fce3b0a89c93a014bd27a09f7e9882a70ee4746c807c638bd675b6099c222f33dd420f1a804b40e8870002ddfa6
-
Filesize
637KB
MD520c53b63527023e3bc2300fe83e62941
SHA10dccc5c4fa3e79cb258406050eeda2c224b6ce31
SHA25665eb3dcbadc41708c3b6347f13ef1d6b0fdc48fe72dac91c41ff38d390231af7
SHA512ef54e4a0c47b0621845b1f677b0136933a571c857f46ef7b556f509a5d36c771708505e3216248b540ffbcada08dc289167d91c4ceba7d678de70f499900cd22
-
Filesize
44KB
MD5ccdad492bf2837b5c39af24e1edeba19
SHA1559849e557ea273c8b093520f25f71999bb842dd
SHA25648b6feeab56e590821508aca66a4d4347276719248a39caf4019c41884b51c65
SHA512638b4a53e3c8210cd60b16b69b8ac96745451f9b28abca9106e56bc740f98461cf06d8be0b355f429db358bcdcdc232c6d6e10eb51948d5f43783901658807a6
-
Filesize
264KB
MD5abac4265c823916c5e7eff156e9efa0c
SHA1afe2336ff1030e766bdc0f23bb489518fecf9245
SHA256c1fee2558ca5efb77691635b1ff92ba3661b8217653f2ffe6150699d44137e6b
SHA512ee27854a771076d397b0135e7c4cf415d59031479be5739b99b51ec54ca1bee6d0f411ffe7ffee1f2df2a5aa88360ddb94621f6c5ac8ec30c120d7b86c9ef95b
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
1.4MB
MD5714e585cd3dd6179dbb510f53d35eebd
SHA167a940cb03f7759beaf1807e99d11452a92be00b
SHA2568a43250ae65efa053ad1861d9aad8cf7112e91841eec00e21bc88b4fabbbc136
SHA5125f796a95ba8771cca62ce88bbd3f99507310335464653ef9ee140053a758ec4c64fd3a827a5a03f154f8756ec32868c243f24b190487b2d206971ab93c9934bc
-
Filesize
256KB
MD52b19239fdfc1ce97f23509562dae213c
SHA189874206b901d33a4033cde558f515000d436183
SHA2562947e7b436276b77907ca9cc9a6a9a0521701086f3bc373e285ddd7bd9551b6c
SHA5128c92dc7046b25a4537ef88cbc83016894f2b41e04b14bcbae2e947342c15d563998868b27fd119d8b067e9c12914d3e1a37e3be019333f407e3d4551ce511dd4
-
Filesize
67.2MB
MD5b5936413e69ce35fb354fe0f8d2cdf30
SHA12922a763711c0547e314aa9fe188743b7dba15cc
SHA256d5dc7e48951b2e48a3495d859310c2918a9ce1cbb3eff6115d41fd5073f6a991
SHA512602b77069e6a330d01e2698a0361043543c6d882f37adb1b128bd3e5e82c92b962f18dc8987247f989d04e407fdb6f5ceb0295ba8c1361cc4dd2ed52336a031e
-
Filesize
3.0MB
MD58103cddcc5484d3af64fe561b008c928
SHA1e357f8fdbb51c7e3fd9a50bf8e1d416257e8722e
SHA256cedb2abe919e82436025b857e84fdf25d33a23f8c846d302c699ec3f9556fda0
SHA51218d240158a713addab611ae2eb1fbd0ade3f95b4bae827663cb11473f993abf5d7ac3ac59f1ffd11c0809651ba4bf1d6e44ea065c4aa55d324b8f75ed2d51ed8
-
Filesize
463KB
MD5829ef4d8b56fea0ce1ffa9d2c630c48f
SHA187c6c913b1e0c9efd874bde979a3bdad40095686
SHA2568e0f7f71cdfe332f45d166dceae0d953cb456c6a5a7a3c03aa73af1c25a09736
SHA5125492c97e962187c9043f390e30ec9229777ddd53d14cd67d6d74225bd68967d6c73f8f21524b964ceaebda3831f9f8c26c06a5ab01a6b9c2db301a36d70ab057