Resubmissions
27-06-2024 05:17
240627-fy7tcawhkr 1002-06-2024 07:35
240602-jeng5sfa6t 1002-06-2024 07:25
240602-h878zaeg9y 10Analysis
-
max time kernel
145s -
max time network
117s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-06-2024 07:25
Static task
static1
Behavioral task
behavioral1
Sample
8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe
Resource
win10v2004-20240426-en
General
-
Target
8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe
-
Size
1.8MB
-
MD5
ac7237bfbd3e63efa1c29bf506a5833d
-
SHA1
1d0160a085b8aa1383cba4e6c0b789014cf3cfe6
-
SHA256
8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908
-
SHA512
a3826b72be1815fbd782d9f6b20f732339d1540f378dd95c26e34b14cd60d57e9e613361b8c20da9f9fcead0c2ce84998eeb48ee3b5addc22b9374401a4c42eb
-
SSDEEP
24576:Q+SDM3ZxtLyy1EGw1wKO6+O3Osp8ljtbfEbuMJpd2QLXWoRu7CeE2oK:fSDMpxj1I1NZkjRfWuMJu6cGg
Malware Config
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Extracted
redline
newbild
185.215.113.67:40960
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exe family_redline behavioral2/memory/1584-41-0x0000000000C30000-0x0000000000C80000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
axplont.exeaxplont.exe8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exeaxplont.exeaxplont.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe -
Executes dropped EXE 5 IoCs
Processes:
axplont.exenewbild.exeaxplont.exeaxplont.exeaxplont.exepid process 4232 axplont.exe 1584 newbild.exe 4632 axplont.exe 3564 axplont.exe 4660 axplont.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine 8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine axplont.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exepid process 3836 8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe 4232 axplont.exe 4632 axplont.exe 3564 axplont.exe 4660 axplont.exe -
Drops file in Windows directory 1 IoCs
Processes:
8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exedescription ioc process File created C:\Windows\Tasks\axplont.job 8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exeaxplont.exenewbild.exeaxplont.exeaxplont.exeaxplont.exepid process 3836 8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe 3836 8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe 4232 axplont.exe 4232 axplont.exe 1584 newbild.exe 1584 newbild.exe 1584 newbild.exe 1584 newbild.exe 1584 newbild.exe 4632 axplont.exe 4632 axplont.exe 3564 axplont.exe 3564 axplont.exe 4660 axplont.exe 4660 axplont.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
newbild.exedescription pid process Token: SeDebugPrivilege 1584 newbild.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exeaxplont.exedescription pid process target process PID 3836 wrote to memory of 4232 3836 8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe axplont.exe PID 3836 wrote to memory of 4232 3836 8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe axplont.exe PID 3836 wrote to memory of 4232 3836 8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe axplont.exe PID 4232 wrote to memory of 1584 4232 axplont.exe newbild.exe PID 4232 wrote to memory of 1584 4232 axplont.exe newbild.exe PID 4232 wrote to memory of 1584 4232 axplont.exe newbild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe"C:\Users\Admin\AppData\Local\Temp\8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exe"C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exeFilesize
297KB
MD5c302ed158d988bc5aeb37a4658e3eb0a
SHA1af658ccf6f44899a0ffb97759e6135f46dcd2f8e
SHA25658bdeb7c3da885110d6983f3e7e752119ec8bf9da9631452b94ddc8bed6abf90
SHA51294e4576e39d6cac2d5553cdec9def10926929a3f4262b5bc1caa3e7db64f0e73c00e5fc1aef08eff003d25a294edc1b95ba89a7880d93d97b873f8d275a4f09d
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeFilesize
1.8MB
MD5ac7237bfbd3e63efa1c29bf506a5833d
SHA11d0160a085b8aa1383cba4e6c0b789014cf3cfe6
SHA2568fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908
SHA512a3826b72be1815fbd782d9f6b20f732339d1540f378dd95c26e34b14cd60d57e9e613361b8c20da9f9fcead0c2ce84998eeb48ee3b5addc22b9374401a4c42eb
-
memory/1584-47-0x00000000058C0000-0x00000000058D2000-memory.dmpFilesize
72KB
-
memory/1584-54-0x0000000008380000-0x00000000088AC000-memory.dmpFilesize
5.2MB
-
memory/1584-41-0x0000000000C30000-0x0000000000C80000-memory.dmpFilesize
320KB
-
memory/1584-40-0x000000007316E000-0x000000007316F000-memory.dmpFilesize
4KB
-
memory/1584-50-0x0000000006320000-0x0000000006386000-memory.dmpFilesize
408KB
-
memory/1584-45-0x0000000006940000-0x0000000006F58000-memory.dmpFilesize
6.1MB
-
memory/1584-44-0x0000000005730000-0x000000000573A000-memory.dmpFilesize
40KB
-
memory/1584-48-0x0000000005A30000-0x0000000005A6C000-memory.dmpFilesize
240KB
-
memory/1584-42-0x0000000005D70000-0x0000000006316000-memory.dmpFilesize
5.6MB
-
memory/1584-49-0x0000000005A70000-0x0000000005ABC000-memory.dmpFilesize
304KB
-
memory/1584-51-0x0000000007D00000-0x0000000007D50000-memory.dmpFilesize
320KB
-
memory/1584-46-0x0000000005B40000-0x0000000005C4A000-memory.dmpFilesize
1.0MB
-
memory/1584-53-0x0000000007440000-0x0000000007602000-memory.dmpFilesize
1.8MB
-
memory/1584-43-0x00000000057C0000-0x0000000005852000-memory.dmpFilesize
584KB
-
memory/3564-70-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/3564-71-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/3836-5-0x00000000006C0000-0x0000000000B70000-memory.dmpFilesize
4.7MB
-
memory/3836-0-0x00000000006C0000-0x0000000000B70000-memory.dmpFilesize
4.7MB
-
memory/3836-3-0x00000000006C0000-0x0000000000B70000-memory.dmpFilesize
4.7MB
-
memory/3836-1-0x00000000777A6000-0x00000000777A8000-memory.dmpFilesize
8KB
-
memory/3836-17-0x00000000006C0000-0x0000000000B70000-memory.dmpFilesize
4.7MB
-
memory/3836-2-0x00000000006C1000-0x00000000006EF000-memory.dmpFilesize
184KB
-
memory/4232-52-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-72-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-20-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-56-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-58-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-59-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-77-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-76-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-63-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-64-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-65-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-66-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-67-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-19-0x0000000000F11000-0x0000000000F3F000-memory.dmpFilesize
184KB
-
memory/4232-69-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-18-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-21-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-73-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-74-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-75-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4632-62-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4632-60-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4660-79-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4660-80-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB