Analysis Overview
SHA256
37cdcbf1a254917646199a07442c5d67c4cca28ced381c0d79b14224e8fdca5f
Threat Level: Known bad
The file Slinky.exe was found to be: Known bad.
Malicious Activity Summary
SectopRAT
SectopRAT payload
Sectoprat family
RedLine
RedLine payload
Checks computer location settings
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-20 18:42
Signatures
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-20 18:42
Reported
2024-04-20 18:48
Platform
win10-20240404-en
Max time kernel
299s
Max time network
304s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4740 wrote to memory of 352 | N/A | C:\Users\Admin\AppData\Local\Temp\Slinky.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 4740 wrote to memory of 352 | N/A | C:\Users\Admin\AppData\Local\Temp\Slinky.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 4740 wrote to memory of 352 | N/A | C:\Users\Admin\AppData\Local\Temp\Slinky.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 4740 wrote to memory of 4252 | N/A | C:\Users\Admin\AppData\Local\Temp\Slinky.exe | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe |
| PID 4740 wrote to memory of 4252 | N/A | C:\Users\Admin\AppData\Local\Temp\Slinky.exe | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Slinky.exe
"C:\Users\Admin\AppData\Local\Temp\Slinky.exe"
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.19:32513 | 147.185.221.19 | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 31.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4740-1-0x0000000000380000-0x00000000015FC000-memory.dmp
memory/4740-0-0x00007FFE8F500000-0x00007FFE8FEEC000-memory.dmp
memory/4740-2-0x0000000003730000-0x0000000003740000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | ddad08ac0b9c4fc1eec301751fa7eb3f |
| SHA1 | d923eac0c7d90353057bda6f43d5531896027c1a |
| SHA256 | 7c7155e558d62b31045f0988e8bec3a5ef7ab658077d293a8d76de2feb773e42 |
| SHA512 | 7eb1bc320da05b5f275cd3a7e238dd67d490dee9faea1798aefd80fc2856185bdb0bd87b6da2d55ff501c2bbd969e7e80e229e6f5b18330a93e6a688cc2847ac |
memory/352-10-0x00000000007E0000-0x00000000007FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
| MD5 | a2223005e6d186689577e5a2b785a16b |
| SHA1 | 1075e177247880d3e1ec940623500bf2e9b275e3 |
| SHA256 | cef5b60321f17991400a19072052535638c0a5c02d338234686552deadeea82e |
| SHA512 | 073f8e682d2468bfe7d55b82cf0ff5dafd2754da2813de2116551e2811809debba7f06c5d8ed5901a59703bfb306fd5fd05d9d1e797bf9e7887826709c6993c6 |
memory/352-11-0x0000000073E00000-0x00000000744EE000-memory.dmp
memory/352-15-0x00000000057A0000-0x0000000005DA6000-memory.dmp
memory/4740-16-0x00007FFE8F500000-0x00007FFE8FEEC000-memory.dmp
memory/352-17-0x0000000005010000-0x0000000005022000-memory.dmp
memory/352-19-0x0000000005070000-0x00000000050AE000-memory.dmp
memory/352-23-0x00000000050B0000-0x00000000050FB000-memory.dmp
memory/352-22-0x0000000005180000-0x0000000005190000-memory.dmp
memory/352-24-0x0000000005310000-0x000000000541A000-memory.dmp
memory/352-25-0x00000000064C0000-0x0000000006682000-memory.dmp
memory/352-26-0x0000000006BC0000-0x00000000070EC000-memory.dmp
memory/352-27-0x0000000006700000-0x0000000006766000-memory.dmp
memory/352-28-0x00000000075F0000-0x0000000007AEE000-memory.dmp
memory/352-29-0x0000000006980000-0x0000000006A12000-memory.dmp
memory/352-30-0x0000000006A20000-0x0000000006A96000-memory.dmp
memory/352-31-0x0000000006B50000-0x0000000006B6E000-memory.dmp
memory/352-56-0x0000000073E00000-0x00000000744EE000-memory.dmp
memory/352-57-0x0000000005180000-0x0000000005190000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-20 18:42
Reported
2024-04-20 18:48
Platform
win10v2004-20240412-en
Max time kernel
299s
Max time network
304s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Slinky.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1160 wrote to memory of 3216 | N/A | C:\Users\Admin\AppData\Local\Temp\Slinky.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 1160 wrote to memory of 3216 | N/A | C:\Users\Admin\AppData\Local\Temp\Slinky.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 1160 wrote to memory of 3216 | N/A | C:\Users\Admin\AppData\Local\Temp\Slinky.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 1160 wrote to memory of 4748 | N/A | C:\Users\Admin\AppData\Local\Temp\Slinky.exe | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe |
| PID 1160 wrote to memory of 4748 | N/A | C:\Users\Admin\AppData\Local\Temp\Slinky.exe | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Slinky.exe
"C:\Users\Admin\AppData\Local\Temp\Slinky.exe"
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 147.185.221.19:32513 | 147.185.221.19 | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 172.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.46.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.138.73.23.in-addr.arpa | udp |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
memory/1160-0-0x00007FFF79580000-0x00007FFF7A041000-memory.dmp
memory/1160-1-0x0000000000340000-0x00000000015BC000-memory.dmp
memory/1160-2-0x000000001C280000-0x000000001C290000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | ddad08ac0b9c4fc1eec301751fa7eb3f |
| SHA1 | d923eac0c7d90353057bda6f43d5531896027c1a |
| SHA256 | 7c7155e558d62b31045f0988e8bec3a5ef7ab658077d293a8d76de2feb773e42 |
| SHA512 | 7eb1bc320da05b5f275cd3a7e238dd67d490dee9faea1798aefd80fc2856185bdb0bd87b6da2d55ff501c2bbd969e7e80e229e6f5b18330a93e6a688cc2847ac |
C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
| MD5 | a2223005e6d186689577e5a2b785a16b |
| SHA1 | 1075e177247880d3e1ec940623500bf2e9b275e3 |
| SHA256 | cef5b60321f17991400a19072052535638c0a5c02d338234686552deadeea82e |
| SHA512 | 073f8e682d2468bfe7d55b82cf0ff5dafd2754da2813de2116551e2811809debba7f06c5d8ed5901a59703bfb306fd5fd05d9d1e797bf9e7887826709c6993c6 |
memory/3216-22-0x0000000000DC0000-0x0000000000DDE000-memory.dmp
memory/3216-23-0x0000000074E20000-0x00000000755D0000-memory.dmp
memory/1160-24-0x00007FFF79580000-0x00007FFF7A041000-memory.dmp
memory/3216-28-0x0000000005EB0000-0x00000000064C8000-memory.dmp
memory/3216-29-0x0000000005780000-0x0000000005792000-memory.dmp
memory/3216-30-0x00000000057E0000-0x000000000581C000-memory.dmp
memory/3216-31-0x0000000005880000-0x0000000005890000-memory.dmp
memory/3216-32-0x0000000005820000-0x000000000586C000-memory.dmp
memory/3216-33-0x0000000005A90000-0x0000000005B9A000-memory.dmp
memory/3216-34-0x0000000006D70000-0x0000000006F32000-memory.dmp
memory/3216-35-0x0000000007470000-0x000000000799C000-memory.dmp
memory/3216-60-0x0000000006F40000-0x0000000006FA6000-memory.dmp
memory/3216-61-0x0000000007150000-0x00000000071E2000-memory.dmp
memory/3216-62-0x00000000071F0000-0x0000000007266000-memory.dmp
memory/3216-63-0x0000000007F50000-0x00000000084F4000-memory.dmp
memory/3216-64-0x0000000007450000-0x000000000746E000-memory.dmp
memory/3216-65-0x0000000074E20000-0x00000000755D0000-memory.dmp
memory/3216-66-0x0000000005880000-0x0000000005890000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-20 18:42
Reported
2024-04-20 18:48
Platform
win11-20240412-en
Max time kernel
299s
Max time network
304s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1656 wrote to memory of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\Slinky.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 1656 wrote to memory of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\Slinky.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 1656 wrote to memory of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\Slinky.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 1656 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\Slinky.exe | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe |
| PID 1656 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\Slinky.exe | C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Slinky.exe
"C:\Users\Admin\AppData\Local\Temp\Slinky.exe"
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.19:32513 | 147.185.221.19 | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 31.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/1656-1-0x00007FFDAE990000-0x00007FFDAF452000-memory.dmp
memory/1656-0-0x0000000000CD0000-0x0000000001F4C000-memory.dmp
memory/1656-2-0x000000001CD10000-0x000000001CD20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | ddad08ac0b9c4fc1eec301751fa7eb3f |
| SHA1 | d923eac0c7d90353057bda6f43d5531896027c1a |
| SHA256 | 7c7155e558d62b31045f0988e8bec3a5ef7ab658077d293a8d76de2feb773e42 |
| SHA512 | 7eb1bc320da05b5f275cd3a7e238dd67d490dee9faea1798aefd80fc2856185bdb0bd87b6da2d55ff501c2bbd969e7e80e229e6f5b18330a93e6a688cc2847ac |
C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
| MD5 | a2223005e6d186689577e5a2b785a16b |
| SHA1 | 1075e177247880d3e1ec940623500bf2e9b275e3 |
| SHA256 | cef5b60321f17991400a19072052535638c0a5c02d338234686552deadeea82e |
| SHA512 | 073f8e682d2468bfe7d55b82cf0ff5dafd2754da2813de2116551e2811809debba7f06c5d8ed5901a59703bfb306fd5fd05d9d1e797bf9e7887826709c6993c6 |
memory/2532-24-0x0000000075110000-0x00000000758C1000-memory.dmp
memory/2532-23-0x0000000000A00000-0x0000000000A1E000-memory.dmp
memory/1656-25-0x00007FFDAE990000-0x00007FFDAF452000-memory.dmp
memory/2532-28-0x0000000005B70000-0x0000000006188000-memory.dmp
memory/2532-29-0x0000000002E50000-0x0000000002E62000-memory.dmp
memory/2532-30-0x00000000053A0000-0x00000000053DC000-memory.dmp
memory/2532-31-0x0000000005540000-0x0000000005550000-memory.dmp
memory/2532-32-0x00000000053E0000-0x000000000542C000-memory.dmp
memory/2532-33-0x0000000005660000-0x000000000576A000-memory.dmp
memory/2532-34-0x0000000006A90000-0x0000000006C52000-memory.dmp
memory/2532-35-0x0000000007190000-0x00000000076BC000-memory.dmp
memory/2532-57-0x0000000006C60000-0x0000000006CC6000-memory.dmp
memory/2532-58-0x0000000006F50000-0x0000000006FC6000-memory.dmp
memory/2532-59-0x0000000007070000-0x0000000007102000-memory.dmp
memory/2532-60-0x0000000007C70000-0x0000000008216000-memory.dmp
memory/2532-61-0x0000000007150000-0x000000000716E000-memory.dmp
memory/2532-62-0x0000000075110000-0x00000000758C1000-memory.dmp
memory/2532-63-0x0000000005540000-0x0000000005550000-memory.dmp