Malware Analysis Report

2024-10-23 17:19

Sample ID 240202-l5fw4abda7
Target installerV2.rar
SHA256 a230fc03c202928b2f7ce173273bd314ca5ebd1c59a16b6cfb36440b585fc756
Tags
povertystealer redline discovery infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a230fc03c202928b2f7ce173273bd314ca5ebd1c59a16b6cfb36440b585fc756

Threat Level: Known bad

The file installerV2.rar was found to be: Known bad.

Malicious Activity Summary

povertystealer redline discovery infostealer spyware stealer

RedLine payload

Detect Poverty Stealer Payload

Poverty Stealer

RedLine

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-02 10:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 10:06

Reported

2024-02-02 10:16

Platform

win10v2004-20231215-en

Max time kernel

61s

Max time network

75s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\installerV2.rar

Signatures

Detect Poverty Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Poverty Stealer

stealer povertystealer

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\installerV2\setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\installerV2\Installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3580 set thread context of 1096 N/A C:\Users\Admin\Desktop\installerV2\Installer.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\installerV2\setup.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\installerV2.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\installerV2.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\installerV2\setup.exe

"C:\Users\Admin\Desktop\installerV2\setup.exe"

C:\Users\Admin\Desktop\installerV2\Installer.exe

"C:\Users\Admin\Desktop\installerV2\Installer.exe"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
NL 45.15.156.142:33597 tcp
US 8.8.8.8:53 142.156.15.45.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zE836725F7\installerV2\packages\Data\cef.pak

MD5 4e0569b68960318b7dfe53dbe6832840
SHA1 81cab18b8085fc3652cdc0d9f10efd3068237b22
SHA256 15da2b5b7039dbd5616a9ff42b451df830197df2f8e72e7b208047ed32183329
SHA512 144583181e37a57c2f375acb5c16c27309f21fce3b0a89c93a014bd27a09f7e9882a70ee4746c807c638bd675b6099c222f33dd420f1a804b40e8870002ddfa6

C:\Users\Admin\AppData\Local\Temp\7zE836725F7\installerV2\packages\Data\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\7zE836725F7\installerV2\packages\Data\data_1

MD5 abac4265c823916c5e7eff156e9efa0c
SHA1 afe2336ff1030e766bdc0f23bb489518fecf9245
SHA256 c1fee2558ca5efb77691635b1ff92ba3661b8217653f2ffe6150699d44137e6b
SHA512 ee27854a771076d397b0135e7c4cf415d59031479be5739b99b51ec54ca1bee6d0f411ffe7ffee1f2df2a5aa88360ddb94621f6c5ac8ec30c120d7b86c9ef95b

C:\Users\Admin\AppData\Local\Temp\7zE836725F7\installerV2\packages\Data\data_0

MD5 ccdad492bf2837b5c39af24e1edeba19
SHA1 559849e557ea273c8b093520f25f71999bb842dd
SHA256 48b6feeab56e590821508aca66a4d4347276719248a39caf4019c41884b51c65
SHA512 638b4a53e3c8210cd60b16b69b8ac96745451f9b28abca9106e56bc740f98461cf06d8be0b355f429db358bcdcdc232c6d6e10eb51948d5f43783901658807a6

C:\Users\Admin\AppData\Local\Temp\7zE836725F7\installerV2\packages\Data\cef_100_percent.pak

MD5 20c53b63527023e3bc2300fe83e62941
SHA1 0dccc5c4fa3e79cb258406050eeda2c224b6ce31
SHA256 65eb3dcbadc41708c3b6347f13ef1d6b0fdc48fe72dac91c41ff38d390231af7
SHA512 ef54e4a0c47b0621845b1f677b0136933a571c857f46ef7b556f509a5d36c771708505e3216248b540ffbcada08dc289167d91c4ceba7d678de70f499900cd22

C:\Users\Admin\AppData\Local\Temp\7zE836725F7\installerV2\packages\Data\index

MD5 2b19239fdfc1ce97f23509562dae213c
SHA1 89874206b901d33a4033cde558f515000d436183
SHA256 2947e7b436276b77907ca9cc9a6a9a0521701086f3bc373e285ddd7bd9551b6c
SHA512 8c92dc7046b25a4537ef88cbc83016894f2b41e04b14bcbae2e947342c15d563998868b27fd119d8b067e9c12914d3e1a37e3be019333f407e3d4551ce511dd4

C:\Users\Admin\AppData\Local\Temp\7zE836725F7\installerV2\packages\Data\data_3

MD5 714e585cd3dd6179dbb510f53d35eebd
SHA1 67a940cb03f7759beaf1807e99d11452a92be00b
SHA256 8a43250ae65efa053ad1861d9aad8cf7112e91841eec00e21bc88b4fabbbc136
SHA512 5f796a95ba8771cca62ce88bbd3f99507310335464653ef9ee140053a758ec4c64fd3a827a5a03f154f8756ec32868c243f24b190487b2d206971ab93c9934bc

C:\Users\Admin\AppData\Local\Temp\7zE836725F7\installerV2\packages\Data\libcef.dll

MD5 b5936413e69ce35fb354fe0f8d2cdf30
SHA1 2922a763711c0547e314aa9fe188743b7dba15cc
SHA256 d5dc7e48951b2e48a3495d859310c2918a9ce1cbb3eff6115d41fd5073f6a991
SHA512 602b77069e6a330d01e2698a0361043543c6d882f37adb1b128bd3e5e82c92b962f18dc8987247f989d04e407fdb6f5ceb0295ba8c1361cc4dd2ed52336a031e

C:\Users\Admin\Desktop\installerV2\setup.exe

MD5 829ef4d8b56fea0ce1ffa9d2c630c48f
SHA1 87c6c913b1e0c9efd874bde979a3bdad40095686
SHA256 8e0f7f71cdfe332f45d166dceae0d953cb456c6a5a7a3c03aa73af1c25a09736
SHA512 5492c97e962187c9043f390e30ec9229777ddd53d14cd67d6d74225bd68967d6c73f8f21524b964ceaebda3831f9f8c26c06a5ab01a6b9c2db301a36d70ab057

memory/3132-80-0x0000000001240000-0x0000000001294000-memory.dmp

memory/3132-84-0x0000000073F40000-0x00000000746F0000-memory.dmp

memory/3132-85-0x0000000005DF0000-0x0000000006394000-memory.dmp

memory/3132-86-0x00000000058F0000-0x0000000005982000-memory.dmp

memory/3132-87-0x0000000005B20000-0x0000000005B30000-memory.dmp

memory/3132-88-0x00000000059B0000-0x00000000059BA000-memory.dmp

C:\Users\Admin\Desktop\installerV2\Installer.exe

MD5 8103cddcc5484d3af64fe561b008c928
SHA1 e357f8fdbb51c7e3fd9a50bf8e1d416257e8722e
SHA256 cedb2abe919e82436025b857e84fdf25d33a23f8c846d302c699ec3f9556fda0
SHA512 18d240158a713addab611ae2eb1fbd0ade3f95b4bae827663cb11473f993abf5d7ac3ac59f1ffd11c0809651ba4bf1d6e44ea065c4aa55d324b8f75ed2d51ed8

memory/3132-93-0x00000000069C0000-0x0000000006FD8000-memory.dmp

memory/3132-94-0x00000000063A0000-0x00000000064AA000-memory.dmp

memory/3132-95-0x0000000005A90000-0x0000000005AA2000-memory.dmp

memory/3132-96-0x0000000005C20000-0x0000000005C5C000-memory.dmp

memory/3132-97-0x0000000005C60000-0x0000000005CAC000-memory.dmp

memory/3132-100-0x00000000064B0000-0x0000000006516000-memory.dmp

memory/3132-101-0x0000000007390000-0x00000000073E0000-memory.dmp

memory/3132-102-0x00000000075B0000-0x0000000007772000-memory.dmp

memory/3132-103-0x0000000007CB0000-0x00000000081DC000-memory.dmp

memory/3580-104-0x00007FF7345D0000-0x00007FF734935000-memory.dmp

memory/3580-106-0x00007FF7345D0000-0x00007FF734935000-memory.dmp

memory/1096-105-0x0000000000340000-0x000000000034A000-memory.dmp

memory/1096-108-0x0000000000340000-0x000000000034A000-memory.dmp

memory/1096-110-0x0000000000340000-0x000000000034A000-memory.dmp

memory/3132-113-0x0000000073F40000-0x00000000746F0000-memory.dmp