Malware Analysis Report

2024-10-19 08:51

Sample ID 240724-nsj44axeja
Target R B X D 2 5.rar
SHA256 ad329ddc9cf9c640ca7705fc3ce47c717f796b55466ec0882509f8596b35ae60
Tags
strela discovery redline credential_access infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad329ddc9cf9c640ca7705fc3ce47c717f796b55466ec0882509f8596b35ae60

Threat Level: Known bad

The file R B X D 2 5.rar was found to be: Known bad.

Malicious Activity Summary

strela discovery redline credential_access infostealer spyware stealer

Detects Strela Stealer payload

RedLine

Strela family

RedLine payload

Credentials from Password Stores: Credentials from Web Browsers

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-24 11:39

Signatures

Detects Strela Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Strela family

strela

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 11:39

Reported

2024-07-24 11:40

Platform

win10v2004-20240709-en

Max time kernel

3s

Max time network

5s

Command Line

"C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Client.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Client.exe

"C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 11:39

Reported

2024-07-24 11:40

Platform

win10v2004-20240709-en

Max time kernel

18s

Max time network

22s

Command Line

"C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Roblox Executor.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Roblox Executor.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4864 set thread context of 904 N/A C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Roblox Executor.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Roblox Executor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Roblox Executor.exe

"C:\Users\Admin\AppData\Local\Temp\R B X D 2 5\Roblox Executor.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
CH 185.196.9.26:6302 tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp

Files

memory/4864-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

memory/4864-1-0x00000000005E0000-0x0000000000680000-memory.dmp

memory/4864-2-0x0000000002B10000-0x0000000002B16000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 7ffd0f7f8e37ba9f1d4112a1f60daebd
SHA1 3be5bf0c2a65dcb02f2d862ec4d62beba6658bad
SHA256 0e02df1279223b4c5912f99a74cb602b572c7a9e4afae04e65a6010ae47b8bbf
SHA512 ba5c93fd8abeb1c8c6c938ed7b3f77bf7d7bc055316c90c94de9f00724c15b78ef9828a05275c63c9ffd362628492d8c3009edbece5445c0f6aa03a8fc33e88e

memory/904-9-0x0000000000400000-0x0000000000450000-memory.dmp

memory/4864-11-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/904-13-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/904-12-0x0000000005370000-0x0000000005914000-memory.dmp

memory/904-14-0x0000000004E60000-0x0000000004EF2000-memory.dmp

memory/904-16-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/904-15-0x0000000004F20000-0x0000000004F2A000-memory.dmp

memory/904-17-0x0000000005F40000-0x0000000006558000-memory.dmp

memory/904-18-0x0000000005920000-0x0000000005A2A000-memory.dmp

memory/904-19-0x0000000005000000-0x0000000005012000-memory.dmp

memory/904-20-0x0000000005160000-0x000000000519C000-memory.dmp

memory/904-21-0x00000000051B0000-0x00000000051FC000-memory.dmp

memory/904-22-0x0000000005A30000-0x0000000005A96000-memory.dmp

memory/904-23-0x0000000006800000-0x0000000006850000-memory.dmp

memory/904-24-0x0000000006A20000-0x0000000006BE2000-memory.dmp

memory/904-25-0x0000000007120000-0x000000000764C000-memory.dmp