Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-07-2024 08:00
Static task
static1
Behavioral task
behavioral1
Sample
Panel/Panel.exe
Resource
win11-20240709-en
Behavioral task
behavioral2
Sample
builder/RedlineBuilder.exe
Resource
win11-20240709-en
Behavioral task
behavioral3
Sample
builder/builder.bat
Resource
win11-20240709-en
General
-
Target
builder/RedlineBuilder.exe
-
Size
488KB
-
MD5
2281dc010aa4af33e4ccfbce434f1435
-
SHA1
fe15a3ffd6d2341662857ea573f0bde630c20742
-
SHA256
7e649134ad5f4a718ec7123ec3da26b54c0db2d611c97884d7f181b6a0144438
-
SHA512
26bb703e5b0ed50eb28675ad72cf46903f2fb904bd424604304187ce34a71529fb2b7fa9d010b0bd6215a8a9fae9af3680816631b13682799fd35249a4733e94
-
SSDEEP
12288:7IvU+wMi5kp6I7wxqZvo7aTuncDhgBoy48:7I8G177iaSqkR
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7290956576:AAEqdtE6cg2Gkoyn1hXNmqRl7-0FVD2J6bE/sendMessage?chat_id=6569055789
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RedlineBuilder.exe family_redline behavioral2/memory/4556-24-0x0000000000B10000-0x0000000000B64000-memory.dmp family_redline -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Server.exe family_stormkitty behavioral2/memory/1048-23-0x0000000000040000-0x0000000000072000-memory.dmp family_stormkitty -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Server.exe family_asyncrat -
Executes dropped EXE 2 IoCs
Processes:
Server.exeRedlineBuilder.exepid process 1048 Server.exe 4556 RedlineBuilder.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 8 IoCs
Processes:
Server.exedescription ioc process File created C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini Server.exe File created C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Server.exe File created C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Server.exe File opened for modification C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Server.exe File created C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Server.exe File opened for modification C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Server.exe File created C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Server.exe File created C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini Server.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4676 4556 WerFault.exe RedlineBuilder.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Server.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Server.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Server.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
Server.exepid process 1048 Server.exe 1048 Server.exe 1048 Server.exe 1048 Server.exe 1048 Server.exe 1048 Server.exe 1048 Server.exe 1048 Server.exe 1048 Server.exe 1048 Server.exe 1048 Server.exe 1048 Server.exe 1048 Server.exe 1048 Server.exe 1048 Server.exe 1048 Server.exe 1048 Server.exe 1048 Server.exe 1048 Server.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 1048 Server.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
RedlineBuilder.exeServer.execmd.execmd.exedescription pid process target process PID 448 wrote to memory of 1048 448 RedlineBuilder.exe Server.exe PID 448 wrote to memory of 1048 448 RedlineBuilder.exe Server.exe PID 448 wrote to memory of 1048 448 RedlineBuilder.exe Server.exe PID 448 wrote to memory of 4556 448 RedlineBuilder.exe RedlineBuilder.exe PID 448 wrote to memory of 4556 448 RedlineBuilder.exe RedlineBuilder.exe PID 448 wrote to memory of 4556 448 RedlineBuilder.exe RedlineBuilder.exe PID 1048 wrote to memory of 1356 1048 Server.exe cmd.exe PID 1048 wrote to memory of 1356 1048 Server.exe cmd.exe PID 1048 wrote to memory of 1356 1048 Server.exe cmd.exe PID 1356 wrote to memory of 244 1356 cmd.exe chcp.com PID 1356 wrote to memory of 244 1356 cmd.exe chcp.com PID 1356 wrote to memory of 244 1356 cmd.exe chcp.com PID 1356 wrote to memory of 1192 1356 cmd.exe netsh.exe PID 1356 wrote to memory of 1192 1356 cmd.exe netsh.exe PID 1356 wrote to memory of 1192 1356 cmd.exe netsh.exe PID 1356 wrote to memory of 760 1356 cmd.exe findstr.exe PID 1356 wrote to memory of 760 1356 cmd.exe findstr.exe PID 1356 wrote to memory of 760 1356 cmd.exe findstr.exe PID 1048 wrote to memory of 2360 1048 Server.exe cmd.exe PID 1048 wrote to memory of 2360 1048 Server.exe cmd.exe PID 1048 wrote to memory of 2360 1048 Server.exe cmd.exe PID 2360 wrote to memory of 2280 2360 cmd.exe chcp.com PID 2360 wrote to memory of 2280 2360 cmd.exe chcp.com PID 2360 wrote to memory of 2280 2360 cmd.exe chcp.com PID 2360 wrote to memory of 2436 2360 cmd.exe netsh.exe PID 2360 wrote to memory of 2436 2360 cmd.exe netsh.exe PID 2360 wrote to memory of 2436 2360 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\builder\RedlineBuilder.exe"C:\Users\Admin\AppData\Local\Temp\builder\RedlineBuilder.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Users\Admin\AppData\Local\Temp\RedlineBuilder.exe"C:\Users\Admin\AppData\Local\Temp\RedlineBuilder.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 8923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4556 -ip 45561⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\860ec41999678dbb4640d20d917c2e80\msgid.datFilesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Temp\RedlineBuilder.exeFilesize
308KB
MD5128cbb0f113189a8af347f14cb223357
SHA17472ff8bcf4b6ab90e30ec0352f0ecb44c655cf7
SHA256a392dc6ad27dbc999aef5db8efaa63a65e570ca3bff7a79c5053ce7b7ba41a0e
SHA5121bddf607e1e8ef32d39e16fcb9d9d87573f61ceee9a898c287ad236beaea818b223a28196395145a7b3eca5883e5da5b3a3dc0273fd66d64e103c24739868b35
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
175KB
MD5a10cc05978289eb72c91f571adbd4351
SHA1473fdf9c0738acc630903ca60280beef9ac88932
SHA256a794873c8b6f3951d1b7376732b37e89ab384fd4c9b33ee35fa7579815bd8095
SHA5129de9da9b7db02a9f3eb40f380063ccef24026a3331218a4a661222500ec6404bbe98ec336af3c06ba571d725ee3f815db115efb7cee8ec395bcfe0b97014c9f3
-
C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\System\Process.txtFilesize
4KB
MD5dd590eaeeee289d7bd237dd684af784b
SHA11f8ff346f43491a724ee6870747ebe5586b3f93d
SHA2567c335f5ddd29d6d5d37f86eaae448645e7ba4d54b4132bdd58ece2c8f1596221
SHA5120ad30373f63246e9588c8ffce7def1eceef9ca54337616507d052b772ffa6642c0c8f8bd969394ae17cde67574de263489862179fcfd5cc229a5bf77ff546ad3
-
memory/1048-28-0x00000000049A0000-0x0000000004A06000-memory.dmpFilesize
408KB
-
memory/1048-167-0x0000000073B20000-0x00000000742D1000-memory.dmpFilesize
7.7MB
-
memory/1048-179-0x0000000073B20000-0x00000000742D1000-memory.dmpFilesize
7.7MB
-
memory/1048-178-0x0000000073B20000-0x00000000742D1000-memory.dmpFilesize
7.7MB
-
memory/1048-23-0x0000000000040000-0x0000000000072000-memory.dmpFilesize
200KB
-
memory/1048-177-0x0000000073B2E000-0x0000000073B2F000-memory.dmpFilesize
4KB
-
memory/1048-165-0x0000000005420000-0x00000000054B2000-memory.dmpFilesize
584KB
-
memory/1048-26-0x0000000073B20000-0x00000000742D1000-memory.dmpFilesize
7.7MB
-
memory/1048-166-0x0000000005BA0000-0x0000000006146000-memory.dmpFilesize
5.6MB
-
memory/1048-171-0x0000000005640000-0x000000000564A000-memory.dmpFilesize
40KB
-
memory/1048-21-0x0000000073B2E000-0x0000000073B2F000-memory.dmpFilesize
4KB
-
memory/4556-24-0x0000000000B10000-0x0000000000B64000-memory.dmpFilesize
336KB
-
memory/4556-25-0x0000000073B20000-0x00000000742D1000-memory.dmpFilesize
7.7MB
-
memory/4556-27-0x0000000073B20000-0x00000000742D1000-memory.dmpFilesize
7.7MB