Overview

overview

10

Static

static

3

Redeye Ema...er.exe

windows7-x64

10

Redeye Ema...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    41s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2024 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Redeye Email Checker.exe

  • Size

    1.8MB

  • MD5

    ee91506ae8f5516e3db1a0931ea8843c

  • SHA1

    6862064d8a664626fd6d39e4d4c57d6c68ac245d

  • SHA256

    8b904606790976539fd73805d8a8283a30b67907bc35f7e98e3f679d500d0aca

  • SHA512

    d8bd0818dcdcf3904fb93af282c27f25607d980a5de18a4ff4081ecab43eee42408ba381e33531bdc5c261875b4076c214244c34d765cb0cd3f3351542cc1ae9

  • SSDEEP

    24576:SR+kTF4nMlM6O7PxpXkEX7L1Mfyx4AdGIBDA2d7/cqPfRtItNaFIJ0AwJyxWgZqe:++uKnzZVkS10AdGI9lvRt8PxWYskAD

Score
10/10
redlinesectopratultimatecrackpackdiscoveryexecutioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

redline

Botnet

UltimateCrackPack

C2

51.83.170.23:16128

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Redeye Email Checker.exe
    "C:\Users\Admin\AppData\Local\Temp\Redeye Email Checker.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
      "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        3⤵
        • Adds Run key to start application
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2508
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2324
    • C:\Users\Admin\AppData\Local\Temp\Redeye Email Checker.exe
      "C:\Users\Admin\AppData\Local\Temp\Redeye Email Checker.exe"
      2⤵
        PID:2488

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
      Filesize

      115KB

      MD5

      dc6f230a993249cbe632aea3edbbd63e

      SHA1

      ee67ed14eb647918d0d7ffd11ba7b665eeb19c27

      SHA256

      a6c001e47fd68b6c97fa484c5c98f918eed5d231bd8f1a4e4ad65af20788118b

      SHA512

      7e9b46e5d8e8fa609c839d570cf6cf80c7464de553f094e02b6f86e96dc81ce65a1f5f071acd6fadec9d1f4690f48972d4425a7dc2bb0bab7d0588eae81fa5e2

      Download Submit

    • memory/1584-10-0x00000000002B0000-0x00000000002D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1584-8-0x0000000000960000-0x0000000000984000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1820-1-0x0000000000FE0000-0x00000000011A8000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1820-0-0x000007FEF5E53000-0x000007FEF5E54000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2324-12-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2324-21-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2324-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2324-18-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2324-16-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2324-14-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2324-23-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2324-22-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2488-9-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

      Filesize

      9.9MB

      Download