Overview

overview

10

Static

static

10

Slinky.exe

windows10-1703-x64

10

Slinky.exe

windows10-2004-x64

10

Slinky.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    304s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-04-2024 18:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Slinky.exe

  • Size

    18.5MB

  • MD5

    7c1e228c63aef5d1775c065a5597cccf

  • SHA1

    9d5768654e927ba34a1a2e4a8a850a9dc6350e0d

  • SHA256

    37cdcbf1a254917646199a07442c5d67c4cca28ced381c0d79b14224e8fdca5f

  • SHA512

    a6f902dacc333ab12e8b4d1d395d007cd7100253aa2ab2b49bc3749f42064f99215e370a301b0e07f34c681fb1a9ebe0a45f4cc00119fbaa5f6309560f325db0

  • SSDEEP

    393216:TKRqNWNKROYkhkpXorNv+oXsDS3LNK3HOU6x0pW/lJktSrZPLAB:eANWKRrpYrNvou7NK3uU6E29dPL

Score
10/10
redlinesectopratcheatdiscoveryinfostealerratspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

147.185.221.19:32513

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Slinky.exe
    "C:\Users\Admin\AppData\Local\Temp\Slinky.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Users\Admin\AppData\Local\Temp\build.exe
      "C:\Users\Admin\AppData\Local\Temp\build.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3216
    • C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
      "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    95KB

    MD5

    ddad08ac0b9c4fc1eec301751fa7eb3f

    SHA1

    d923eac0c7d90353057bda6f43d5531896027c1a

    SHA256

    7c7155e558d62b31045f0988e8bec3a5ef7ab658077d293a8d76de2feb773e42

    SHA512

    7eb1bc320da05b5f275cd3a7e238dd67d490dee9faea1798aefd80fc2856185bdb0bd87b6da2d55ff501c2bbd969e7e80e229e6f5b18330a93e6a688cc2847ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
    Filesize

    18.4MB

    MD5

    a2223005e6d186689577e5a2b785a16b

    SHA1

    1075e177247880d3e1ec940623500bf2e9b275e3

    SHA256

    cef5b60321f17991400a19072052535638c0a5c02d338234686552deadeea82e

    SHA512

    073f8e682d2468bfe7d55b82cf0ff5dafd2754da2813de2116551e2811809debba7f06c5d8ed5901a59703bfb306fd5fd05d9d1e797bf9e7887826709c6993c6

    Download Submit

  • memory/1160-24-0x00007FFF79580000-0x00007FFF7A041000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1160-1-0x0000000000340000-0x00000000015BC000-memory.dmp

    Filesize

    18.5MB

    Download

  • memory/1160-2-0x000000001C280000-0x000000001C290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1160-0-0x00007FFF79580000-0x00007FFF7A041000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3216-30-0x00000000057E0000-0x000000000581C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3216-35-0x0000000007470000-0x000000000799C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3216-28-0x0000000005EB0000-0x00000000064C8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3216-29-0x0000000005780000-0x0000000005792000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3216-22-0x0000000000DC0000-0x0000000000DDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3216-31-0x0000000005880000-0x0000000005890000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3216-32-0x0000000005820000-0x000000000586C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3216-33-0x0000000005A90000-0x0000000005B9A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3216-34-0x0000000006D70000-0x0000000006F32000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3216-23-0x0000000074E20000-0x00000000755D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3216-60-0x0000000006F40000-0x0000000006FA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3216-61-0x0000000007150000-0x00000000071E2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3216-62-0x00000000071F0000-0x0000000007266000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3216-63-0x0000000007F50000-0x00000000084F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3216-64-0x0000000007450000-0x000000000746E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3216-65-0x0000000074E20000-0x00000000755D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3216-66-0x0000000005880000-0x0000000005890000-memory.dmp

    Filesize

    64KB

    Download