Analysis Overview
SHA256
dc98ef1726f2241bec4e48a438da3db98ed4d5703dd50d9bf1b18c272ff643eb
Threat Level: Known bad
The file slinkyloader.exe was found to be: Known bad.
Malicious Activity Summary
SectopRAT payload
Sectoprat family
RedLine
SectopRAT
RedLine payload
Checks computer location settings
Executes dropped EXE
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-20 18:29
Signatures
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-20 18:29
Reported
2024-04-20 18:35
Platform
win10-20240404-en
Max time kernel
209s
Max time network
302s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2428 wrote to memory of 196 | N/A | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 2428 wrote to memory of 196 | N/A | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 2428 wrote to memory of 196 | N/A | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | john-nil.gl.at.ply.gg | udp |
| US | 147.185.221.19:32513 | john-nil.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 217.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 31.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 239.45.30.184.in-addr.arpa | udp |
Files
memory/2428-0-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp
memory/2428-1-0x0000000000C50000-0x0000000001ECC000-memory.dmp
memory/2428-2-0x000000001CC70000-0x000000001CC80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | 870a26be3f9c1558f8c367249c03e57a |
| SHA1 | 17d395b0ca3d2d6323dbb8f5080ebbda4808dc66 |
| SHA256 | 9f79d381354b5bca4548cedf3dd72b1fa7d4889c80d5dadaf50af4e14ee23eb4 |
| SHA512 | 7d34842b9ceb80ab604fe641eb1e53efb33e994ffca3498c47c7a94604df4baedf24f3a714e3239d4418582cdab2348fe57e7f4e081dcafe400d5c8ece8f4f4c |
memory/196-8-0x0000000000D70000-0x0000000000D8E000-memory.dmp
memory/196-9-0x00000000735A0000-0x0000000073C8E000-memory.dmp
memory/196-10-0x0000000005E70000-0x0000000006476000-memory.dmp
memory/196-11-0x0000000003280000-0x0000000003292000-memory.dmp
memory/196-12-0x0000000005730000-0x000000000576E000-memory.dmp
memory/196-13-0x0000000005850000-0x0000000005860000-memory.dmp
memory/196-14-0x0000000005770000-0x00000000057BB000-memory.dmp
memory/196-15-0x00000000059E0000-0x0000000005AEA000-memory.dmp
memory/196-16-0x0000000006C90000-0x0000000006E52000-memory.dmp
memory/196-17-0x0000000007390000-0x00000000078BC000-memory.dmp
memory/196-18-0x0000000006BF0000-0x0000000006C56000-memory.dmp
memory/196-49-0x0000000007270000-0x0000000007302000-memory.dmp
memory/196-50-0x0000000007310000-0x0000000007386000-memory.dmp
memory/196-51-0x0000000007DC0000-0x00000000082BE000-memory.dmp
memory/196-52-0x0000000007BC0000-0x0000000007BDE000-memory.dmp
memory/2428-53-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp
memory/2428-54-0x000000001CC70000-0x000000001CC80000-memory.dmp
memory/196-55-0x00000000735A0000-0x0000000073C8E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-20 18:29
Reported
2024-04-20 18:35
Platform
win10v2004-20240412-en
Max time kernel
223s
Max time network
307s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4208 wrote to memory of 3156 | N/A | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 4208 wrote to memory of 3156 | N/A | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 4208 wrote to memory of 3156 | N/A | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | john-nil.gl.at.ply.gg | udp |
| US | 147.185.221.19:32513 | john-nil.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.15.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4208-0-0x00007FF84C650000-0x00007FF84D111000-memory.dmp
memory/4208-1-0x0000000000750000-0x00000000019CC000-memory.dmp
memory/4208-2-0x0000000003A60000-0x0000000003A70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | 870a26be3f9c1558f8c367249c03e57a |
| SHA1 | 17d395b0ca3d2d6323dbb8f5080ebbda4808dc66 |
| SHA256 | 9f79d381354b5bca4548cedf3dd72b1fa7d4889c80d5dadaf50af4e14ee23eb4 |
| SHA512 | 7d34842b9ceb80ab604fe641eb1e53efb33e994ffca3498c47c7a94604df4baedf24f3a714e3239d4418582cdab2348fe57e7f4e081dcafe400d5c8ece8f4f4c |
memory/3156-15-0x0000000074980000-0x0000000075130000-memory.dmp
memory/3156-14-0x0000000000D60000-0x0000000000D7E000-memory.dmp
memory/3156-16-0x0000000005D20000-0x0000000006338000-memory.dmp
memory/3156-17-0x0000000005730000-0x0000000005742000-memory.dmp
memory/3156-18-0x0000000005790000-0x00000000057CC000-memory.dmp
memory/3156-19-0x00000000056F0000-0x0000000005700000-memory.dmp
memory/3156-20-0x00000000057D0000-0x000000000581C000-memory.dmp
memory/4208-21-0x00007FF84C650000-0x00007FF84D111000-memory.dmp
memory/3156-22-0x0000000005A30000-0x0000000005B3A000-memory.dmp
memory/3156-23-0x0000000006D50000-0x0000000006F12000-memory.dmp
memory/3156-24-0x0000000007450000-0x000000000797C000-memory.dmp
memory/3156-25-0x0000000006CA0000-0x0000000006D06000-memory.dmp
memory/3156-26-0x0000000007F30000-0x00000000084D4000-memory.dmp
memory/3156-27-0x0000000007130000-0x00000000071C2000-memory.dmp
memory/3156-28-0x00000000071D0000-0x0000000007246000-memory.dmp
memory/3156-29-0x00000000072D0000-0x00000000072EE000-memory.dmp
memory/3156-51-0x0000000074980000-0x0000000075130000-memory.dmp
memory/3156-52-0x00000000056F0000-0x0000000005700000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-20 18:29
Reported
2024-04-20 18:35
Platform
win11-20240412-en
Max time kernel
216s
Max time network
301s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3640 wrote to memory of 2916 | N/A | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 3640 wrote to memory of 2916 | N/A | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 3640 wrote to memory of 2916 | N/A | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | john-nil.gl.at.ply.gg | udp |
| US | 147.185.221.19:32513 | john-nil.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
Files
memory/3640-0-0x00007FFE6E230000-0x00007FFE6ECF2000-memory.dmp
memory/3640-1-0x0000000000AB0000-0x0000000001D2C000-memory.dmp
memory/3640-2-0x0000000002560000-0x0000000002570000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | 870a26be3f9c1558f8c367249c03e57a |
| SHA1 | 17d395b0ca3d2d6323dbb8f5080ebbda4808dc66 |
| SHA256 | 9f79d381354b5bca4548cedf3dd72b1fa7d4889c80d5dadaf50af4e14ee23eb4 |
| SHA512 | 7d34842b9ceb80ab604fe641eb1e53efb33e994ffca3498c47c7a94604df4baedf24f3a714e3239d4418582cdab2348fe57e7f4e081dcafe400d5c8ece8f4f4c |
memory/2916-15-0x00000000751B0000-0x0000000075961000-memory.dmp
memory/2916-14-0x0000000000410000-0x000000000042E000-memory.dmp
memory/2916-16-0x00000000054D0000-0x0000000005AE8000-memory.dmp
memory/2916-17-0x0000000004EB0000-0x0000000004EC2000-memory.dmp
memory/2916-18-0x0000000004F10000-0x0000000004F4C000-memory.dmp
memory/3640-19-0x00007FFE6E230000-0x00007FFE6ECF2000-memory.dmp
memory/2916-20-0x0000000004EA0000-0x0000000004EB0000-memory.dmp
memory/2916-21-0x0000000004F50000-0x0000000004F9C000-memory.dmp
memory/2916-22-0x00000000051A0000-0x00000000052AA000-memory.dmp
memory/2916-23-0x00000000065E0000-0x00000000067A2000-memory.dmp
memory/2916-24-0x0000000006CE0000-0x000000000720C000-memory.dmp
memory/2916-25-0x00000000077C0000-0x0000000007D66000-memory.dmp
memory/2916-26-0x00000000067B0000-0x0000000006816000-memory.dmp
memory/2916-27-0x0000000006AF0000-0x0000000006B82000-memory.dmp
memory/2916-28-0x0000000006B90000-0x0000000006C06000-memory.dmp
memory/2916-29-0x0000000006CB0000-0x0000000006CCE000-memory.dmp
memory/2916-63-0x00000000751B0000-0x0000000075961000-memory.dmp
memory/2916-64-0x0000000004EA0000-0x0000000004EB0000-memory.dmp