Overview

overview

10

Static

static

5

Shipping D...ts.exe

windows7-x64

10

Shipping D...ts.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2024 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipping Documents.exe

  • Size

    963KB

  • MD5

    1cc7ec4c91b811c75bb9621120b95dd4

  • SHA1

    214a6276da8f2ead192d1cb28cf6afd514752eec

  • SHA256

    45546f324eb60085374045715890404ffe9ecbd9c15cbcfcb6828fdfd87179fa

  • SHA512

    af62907155401baa25eb4bfd793ac8cdca1eeb16e030c3c1eb9418b6e1abbea4438c8beea5579e8130b4a4277cad06263a52d080e8e7cc8b9c4221c94fa9d8f0

  • SSDEEP

    24576:KAHnh+eWsN3skA4RV1Hom2KXMmHaHfbSH5:dh+ZkldoPK8YaHf2

Score
10/10
redlinesectopratwindowsinfostealerratspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

Windows

C2

95.211.6.240:57887

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 3 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe
    "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:304
    • C:\Users\Admin\AppData\Local\directory\name.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\pluffer
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rhombiform
    Filesize

    28KB

    MD5

    67d670d3b068b63cdd70a63349c0b52e

    SHA1

    8f1359857bc484258119762622c878c282eaef7b

    SHA256

    1e5b35e0dac4be6ec5f69973f8292a79032f04a61e9c5803ee1ed76a5f339213

    SHA512

    e563f2ccc25cedaefe7dbd73460af353f7f098f22a9b618845f439789845fa3bd1ee793eba615939aa3e468e1b6b571ca5323559acd83484987a6c7d1e115f5c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpF4B3.tmp
    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpF4C9.tmp
    Filesize

    92KB

    MD5

    4a1a8aca865134d079146e4ecf2fd4b3

    SHA1

    46756ac1d44b35ac30292f85388d03be5d63ef2f

    SHA256

    205039e56bf51a20bf5a068d2acbf3c6da57b7ec665a7305d63bbad4955d6dcc

    SHA512

    8bb23a2c82271b3bf5d638668d4a7c5baaf8b345b378eaaddf298f301a719622154dc400c475c90e5f7fc84c877fb68a75aefb3bed1aa77f2222d29823baf009

    Download Submit

  • \Users\Admin\AppData\Local\directory\name.exe
    Filesize

    963KB

    MD5

    1cc7ec4c91b811c75bb9621120b95dd4

    SHA1

    214a6276da8f2ead192d1cb28cf6afd514752eec

    SHA256

    45546f324eb60085374045715890404ffe9ecbd9c15cbcfcb6828fdfd87179fa

    SHA512

    af62907155401baa25eb4bfd793ac8cdca1eeb16e030c3c1eb9418b6e1abbea4438c8beea5579e8130b4a4277cad06263a52d080e8e7cc8b9c4221c94fa9d8f0

    Download Submit

  • memory/304-10-0x0000000000160000-0x0000000000164000-memory.dmp

    Filesize

    16KB

    Download

  • memory/532-30-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/532-32-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/532-34-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/532-35-0x00000000743EE000-0x00000000743EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/532-36-0x00000000743E0000-0x0000000074ACE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/532-115-0x00000000743EE000-0x00000000743EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/532-116-0x00000000743E0000-0x0000000074ACE000-memory.dmp

    Filesize

    6.9MB

    Download