Analysis Overview
SHA256
5f41a36d2ff5b44158ea07c59defb05ad87dab312a5dc665573b94895e17cd84
Threat Level: Known bad
The file build.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
SectopRAT payload
Sectoprat family
SectopRAT
RedLine payload
Redline family
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-21 00:54
Signatures
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-21 00:54
Reported
2024-04-21 01:00
Platform
win10v2004-20240412-en
Max time kernel
295s
Max time network
302s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tonnersturma-31352.portmap.host | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
Files
memory/4364-0-0x00000000007E0000-0x00000000007FE000-memory.dmp
memory/4364-1-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/4364-2-0x0000000005880000-0x0000000005E98000-memory.dmp
memory/4364-3-0x00000000051A0000-0x00000000051B2000-memory.dmp
memory/4364-4-0x0000000005200000-0x000000000523C000-memory.dmp
memory/4364-5-0x0000000005250000-0x0000000005260000-memory.dmp
memory/4364-6-0x0000000005260000-0x00000000052AC000-memory.dmp
memory/4364-7-0x00000000054B0000-0x00000000055BA000-memory.dmp
memory/4364-8-0x00000000068D0000-0x0000000006A92000-memory.dmp
memory/4364-9-0x0000000006FD0000-0x00000000074FC000-memory.dmp
memory/4364-10-0x0000000006860000-0x00000000068C6000-memory.dmp
memory/4364-11-0x0000000007AB0000-0x0000000008054000-memory.dmp
memory/4364-12-0x0000000006DE0000-0x0000000006E72000-memory.dmp
memory/4364-13-0x0000000006E80000-0x0000000006EF6000-memory.dmp
memory/4364-14-0x0000000006F90000-0x0000000006FAE000-memory.dmp
memory/4364-36-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/4364-37-0x0000000005250000-0x0000000005260000-memory.dmp