Analysis Overview
SHA256
5f41a36d2ff5b44158ea07c59defb05ad87dab312a5dc665573b94895e17cd84
Threat Level: Known bad
The file build.exe was found to be: Known bad.
Malicious Activity Summary
Redline family
Sectoprat family
RedLine payload
SectopRAT payload
RedLine
SectopRAT
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-21 00:47
Signatures
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-21 00:47
Reported
2024-04-21 00:53
Platform
win10-20240404-en
Max time kernel
199s
Max time network
300s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tonnersturma-31352.portmap.host | udp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 31.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
memory/3368-0-0x00000000007A0000-0x00000000007BE000-memory.dmp
memory/3368-1-0x0000000073C70000-0x000000007435E000-memory.dmp
memory/3368-2-0x00000000056C0000-0x0000000005CC6000-memory.dmp
memory/3368-3-0x0000000004FC0000-0x0000000004FD2000-memory.dmp
memory/3368-4-0x0000000005020000-0x000000000505E000-memory.dmp
memory/3368-5-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/3368-6-0x00000000050B0000-0x00000000050FB000-memory.dmp
memory/3368-7-0x00000000052D0000-0x00000000053DA000-memory.dmp
memory/3368-8-0x0000000006440000-0x0000000006602000-memory.dmp
memory/3368-9-0x0000000006B40000-0x000000000706C000-memory.dmp
memory/3368-10-0x0000000007570000-0x0000000007A6E000-memory.dmp
memory/3368-11-0x0000000006730000-0x00000000067A6000-memory.dmp
memory/3368-12-0x0000000006850000-0x00000000068E2000-memory.dmp
memory/3368-13-0x0000000006830000-0x000000000684E000-memory.dmp
memory/3368-14-0x0000000006AB0000-0x0000000006B16000-memory.dmp
memory/3368-33-0x0000000073C70000-0x000000007435E000-memory.dmp
memory/3368-34-0x00000000050A0000-0x00000000050B0000-memory.dmp