Malware Analysis Report

2024-09-11 08:55

Sample ID 240414-3nz23sgh42
Target MSBuild.exe
SHA256 1c8ba0ea86801366c0e20104ab91dee4693847b2a30c7fe6a65c91ee5e449c09
Tags
redline sectoprat cheat discovery infostealer rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c8ba0ea86801366c0e20104ab91dee4693847b2a30c7fe6a65c91ee5e449c09

Threat Level: Known bad

The file MSBuild.exe was found to be: Known bad.

Malicious Activity Summary

redline sectoprat cheat discovery infostealer rat spyware stealer trojan

SectopRAT payload

RedLine

RedLine payload

SectopRAT

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-14 23:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 23:40

Reported

2024-04-14 23:42

Platform

win11-20240412-en

Max time kernel

87s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MSBuild.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2836 set thread context of 1524 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2836 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
PID 2836 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
PID 2836 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
PID 2836 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
PID 2836 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
PID 2836 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
PID 2836 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
PID 2836 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
PID 2836 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
PID 2836 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
PID 2836 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MSBuild.exe

"C:\Users\Admin\AppData\Local\Temp\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\MSBuild.exe

"C:\Users\Admin\AppData\Local\Temp\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\MSBuild.exe

"C:\Users\Admin\AppData\Local\Temp\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
PL 45.80.158.55:49182 tkanders.theworkpc.com tcp
US 172.67.75.172:443 api.ip.sb tcp

Files

memory/2836-0-0x00000000008C0000-0x00000000008F0000-memory.dmp

memory/2836-1-0x0000000074BC0000-0x0000000075371000-memory.dmp

memory/2836-2-0x0000000002F10000-0x0000000002F20000-memory.dmp

memory/2836-3-0x0000000002E50000-0x0000000002E6A000-memory.dmp

memory/2836-4-0x0000000002EE0000-0x0000000002EE6000-memory.dmp

memory/1524-5-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

MD5 ef375f28c91db0202bf7db29c0cbc2ce
SHA1 5a3f5d4ec75a468b908c2eb2b9e6f4b1e76c1017
SHA256 f4d1c038db378dec10e7e2fc81ccc2e2d4b8132ef0d66905e3625a0b0cbbde5f
SHA512 f18141e352fcd253e02cb25fa0cff29ab06dec62bafd5aa80ca48c959d1dba97deae830d01bf521f851a8143b9416747eb170d0cedafa32b59155027c02f244d

memory/2836-8-0x0000000074BC0000-0x0000000075371000-memory.dmp

memory/1524-9-0x0000000074BC0000-0x0000000075371000-memory.dmp

memory/1524-10-0x0000000005A10000-0x0000000006028000-memory.dmp

memory/1524-11-0x00000000053F0000-0x0000000005402000-memory.dmp

memory/1524-12-0x0000000005450000-0x000000000548C000-memory.dmp

memory/1524-13-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/1524-14-0x0000000005490000-0x00000000054DC000-memory.dmp

memory/1524-15-0x00000000056F0000-0x00000000057FA000-memory.dmp

memory/1524-16-0x00000000069F0000-0x0000000006BB2000-memory.dmp

memory/1524-17-0x00000000070F0000-0x000000000761C000-memory.dmp

memory/1524-18-0x0000000006BC0000-0x0000000006C36000-memory.dmp

memory/1524-19-0x0000000006CE0000-0x0000000006D72000-memory.dmp

memory/1524-20-0x0000000007BD0000-0x0000000008176000-memory.dmp

memory/1524-21-0x0000000006EA0000-0x0000000006EBE000-memory.dmp

memory/1524-22-0x0000000007690000-0x00000000076F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE86D.tmp

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Local\Temp\tmpE8A2.tmp

MD5 381b3586815e6993a58a56774117e22c
SHA1 8d0dd1b77522c8c3498665a5ef20b350a93d91c1
SHA256 5b56e288e2e08a26cdbe0af5f88e9225dc1fd74ee9e3e72d68917f1befe48896
SHA512 b158a089174e62ae187e8ed07b9d9c89ba20cc0b32f6a704a4fd099907b3b56be5ade05bea786664c6fc5df9d15223895d679367628c9e51095381d3b946345a

C:\Users\Admin\AppData\Local\Temp\tmpE931.tmp

MD5 22be08f683bcc01d7a9799bbd2c10041
SHA1 2efb6041cf3d6e67970135e592569c76fc4c41de
SHA256 451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA512 0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

C:\Users\Admin\AppData\Local\Temp\tmpE91B.tmp

MD5 14ccc9293153deacbb9a20ee8f6ff1b7
SHA1 46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA256 3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512 916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

C:\Users\Admin\AppData\Local\Temp\tmpE971.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\tmpE946.tmp

MD5 87210e9e528a4ddb09c6b671937c79c6
SHA1 3c75314714619f5b55e25769e0985d497f0062f2
SHA256 eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512 f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

memory/1524-204-0x0000000074BC0000-0x0000000075371000-memory.dmp