Overview

overview

10

Static

static

10

33c689da9e...46.exe

windows7-x64

10

33c689da9e...46.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    03-08-2024 04:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33c689da9eaa894882cdb0fa90e9bb46.exe

  • Size

    568KB

  • MD5

    33c689da9eaa894882cdb0fa90e9bb46

  • SHA1

    5afc0dc2f90bea1c34acfa37563570afe9db8fb4

  • SHA256

    ef0f0472b0aaa446f0bd4ffe6d4d795def72eab197c783d839811200e57c0f08

  • SHA512

    68d32de11ddb0b36693ec87782ea6de2c5b8f8b4f5747bce38085a3384674af80e88953a6a9ba78b3acabde9f6198c2442cbb5865954415c26231066761b4251

  • SSDEEP

    3072:C1U1cWgzWHY3+zi0ZbYe1g0ujyzdgYLz60gznkI8yQSI8yUrNc5vDA:IccXKHYuG0LahyKv5FEvE

Score
10/10
redlinesectopratxxxxcredential_accessdiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

xxxx

C2

212.224.93.60:51914

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33c689da9eaa894882cdb0fa90e9bb46.exe
    "C:\Users\Admin\AppData\Local\Temp\33c689da9eaa894882cdb0fa90e9bb46.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\LocalJMzRXaGbhr.exe
      "C:\Users\Admin\AppData\LocalJMzRXaGbhr.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalJMzRXaGbhr.exe
    Filesize

    95KB

    MD5

    7087178f8c713e35d97f0d0625ed2b30

    SHA1

    2b46fe2684e10bb876caf99195af1e844249f9c5

    SHA256

    e56e0057e0c90da8ae239826ac313d213b348d74914f9a6b2728bdc53e7cb510

    SHA512

    b70f4b6a8aa9e082f149fa56450d8752d5a8efc6c7c81519507eb1bc0b57655a3f0eb1c37409d30c50d59e889b618cb39a011313ce2f04573b45bd1789341003

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpF0CF.tmp
    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpF0E4.tmp
    Filesize

    92KB

    MD5

    de7d702f13db499233da2c87959d7696

    SHA1

    8d51283dc6b41cae89ac01928cd0460604ff1d3e

    SHA256

    78e689d13f1ff71daeb36634831fa7457a8c90ea465a3e342aef921d8ca82b34

    SHA512

    a57e198ff5e32453ac99d6aefb5ab71f9cb4c80006f2a75d3c3e0ef28a0ca00f387110788edc1df1e0a7ab9a2503571e82749e51acf7c67e654a586503754045

    Download Submit
  • memory/1976-11-0x0000000000890000-0x00000000008AE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1976-10-0x00000000744CE000-0x00000000744CF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1976-12-0x00000000744C0000-0x0000000074BAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1976-97-0x00000000744C0000-0x0000000074BAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2036-0-0x000007FEF59CE000-0x000007FEF59CF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2036-8-0x000000001AEE0000-0x000000001AEF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2036-9-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2036-98-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp
    Filesize

    9.6MB

    Download