Analysis Overview
SHA256
ad329ddc9cf9c640ca7705fc3ce47c717f796b55466ec0882509f8596b35ae60
Threat Level: Known bad
The file R B X D 2 5.rar was found to be: Known bad.
Malicious Activity Summary
Detects Strela Stealer payload
RedLine
Strela family
RedLine payload
Credentials from Password Stores: Credentials from Web Browsers
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-24 11:39
Signatures
Detects Strela Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Strela family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-24 11:39
Reported
2024-07-24 11:40
Platform
win10v2004-20240709-en
Max time kernel
3s
Max time network
5s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Client.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Client.exe
"C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-24 11:39
Reported
2024-07-24 11:40
Platform
win10v2004-20240709-en
Max time kernel
18s
Max time network
22s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Roblox Executor.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4864 set thread context of 904 | N/A | C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Roblox Executor.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Roblox Executor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Roblox Executor.exe
"C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Roblox Executor.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| CH | 185.196.9.26:6302 | tcp | |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
Files
memory/4864-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp
memory/4864-1-0x00000000005E0000-0x0000000000680000-memory.dmp
memory/4864-2-0x0000000002B10000-0x0000000002B16000-memory.dmp
C:\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | 7ffd0f7f8e37ba9f1d4112a1f60daebd |
| SHA1 | 3be5bf0c2a65dcb02f2d862ec4d62beba6658bad |
| SHA256 | 0e02df1279223b4c5912f99a74cb602b572c7a9e4afae04e65a6010ae47b8bbf |
| SHA512 | ba5c93fd8abeb1c8c6c938ed7b3f77bf7d7bc055316c90c94de9f00724c15b78ef9828a05275c63c9ffd362628492d8c3009edbece5445c0f6aa03a8fc33e88e |
memory/904-9-0x0000000000400000-0x0000000000450000-memory.dmp
memory/4864-11-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/904-13-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/904-12-0x0000000005370000-0x0000000005914000-memory.dmp
memory/904-14-0x0000000004E60000-0x0000000004EF2000-memory.dmp
memory/904-16-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/904-15-0x0000000004F20000-0x0000000004F2A000-memory.dmp
memory/904-17-0x0000000005F40000-0x0000000006558000-memory.dmp
memory/904-18-0x0000000005920000-0x0000000005A2A000-memory.dmp
memory/904-19-0x0000000005000000-0x0000000005012000-memory.dmp
memory/904-20-0x0000000005160000-0x000000000519C000-memory.dmp
memory/904-21-0x00000000051B0000-0x00000000051FC000-memory.dmp
memory/904-22-0x0000000005A30000-0x0000000005A96000-memory.dmp
memory/904-23-0x0000000006800000-0x0000000006850000-memory.dmp
memory/904-24-0x0000000006A20000-0x0000000006BE2000-memory.dmp
memory/904-25-0x0000000007120000-0x000000000764C000-memory.dmp