Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
25-07-2024 13:45
General
-
Target
30ba5e65d50eec050a3a367ddc885176866e666ef3bbfad0069db77eaa90b5a6.exe
-
Size
504KB
-
MD5
976c60b82a4dfb6441e0c39b7e2725f2
-
SHA1
11a807a614386017a4cae2bd557410f1cee9b975
-
SHA256
30ba5e65d50eec050a3a367ddc885176866e666ef3bbfad0069db77eaa90b5a6
-
SHA512
b1d3f218d58c4f9e62d23453330c334246fdbd460b657c02353ccdff636a5ca5eea0d4d7da5658abfb00dd446a37f9d2945b29592bf273ed22ae07078ee60083
-
SSDEEP
12288:pCKcU5h7YQMDavierlJMa27XLkPjnqR19vV3c:vcoZYQn5pJMqn0vV3c
Malware Config
Extracted
redline
cheat
185.222.57.147:55615
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 5 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\30ba5e65d50eec050a3a367ddc885176866e666ef3bbfad0069db77eaa90b5a6.exe"C:\Users\Admin\AppData\Local\Temp\30ba5e65d50eec050a3a367ddc885176866e666ef3bbfad0069db77eaa90b5a6.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\30ba5e65d50eec050a3a367ddc885176866e666ef3bbfad0069db77eaa90b5a6.exe"C:\Users\Admin\AppData\Local\Temp\30ba5e65d50eec050a3a367ddc885176866e666ef3bbfad0069db77eaa90b5a6.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD54a1a8aca865134d079146e4ecf2fd4b3
SHA146756ac1d44b35ac30292f85388d03be5d63ef2f
SHA256205039e56bf51a20bf5a068d2acbf3c6da57b7ec665a7305d63bbad4955d6dcc
SHA5128bb23a2c82271b3bf5d638668d4a7c5baaf8b345b378eaaddf298f301a719622154dc400c475c90e5f7fc84c877fb68a75aefb3bed1aa77f2222d29823baf009
-
Filesize
4KB
-
Filesize
504KB
-
Filesize
6.9MB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
384KB
-
Filesize
6.9MB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
6.9MB
-
Filesize
6.9MB