Malware Analysis Report

2024-12-08 01:28

Sample ID 240906-e7874awgkq
Target Implosions.exe
SHA256 5b1d458a558dbe702742407f213b8a38241555bbded345b0f7c46529b938b3a3
Tags
redline sectoprat russianhack discovery infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b1d458a558dbe702742407f213b8a38241555bbded345b0f7c46529b938b3a3

Threat Level: Known bad

The file Implosions.exe was found to be: Known bad.

Malicious Activity Summary

redline sectoprat russianhack discovery infostealer rat trojan

SectopRAT payload

RedLine

RedLine payload

SectopRAT

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-06 04:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-06 04:36

Reported

2024-09-06 04:38

Platform

win7-20240708-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Implosions.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Implosions.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Implosions.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Implosions.exe

"C:\Users\Admin\AppData\Local\Temp\Implosions.exe"

Network

Country Destination Domain Proto
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp

Files

memory/1732-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

memory/1732-1-0x0000000000490000-0x00000000004B2000-memory.dmp

memory/1732-2-0x00000000745E0000-0x0000000074CCE000-memory.dmp

memory/1732-3-0x0000000001FA0000-0x0000000001FC0000-memory.dmp

memory/1732-4-0x00000000745E0000-0x0000000074CCE000-memory.dmp

memory/1732-5-0x00000000745E0000-0x0000000074CCE000-memory.dmp

memory/1732-6-0x00000000745E0000-0x0000000074CCE000-memory.dmp

memory/1732-7-0x00000000745EE000-0x00000000745EF000-memory.dmp

memory/1732-8-0x00000000745E0000-0x0000000074CCE000-memory.dmp

memory/1732-9-0x00000000745E0000-0x0000000074CCE000-memory.dmp

memory/1732-10-0x00000000745E0000-0x0000000074CCE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-06 04:36

Reported

2024-09-06 04:38

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Implosions.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Implosions.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Implosions.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Implosions.exe

"C:\Users\Admin\AppData\Local\Temp\Implosions.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
NL 109.234.38.212:6677 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
US 52.111.229.43:443 tcp
NL 109.234.38.212:6677 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp
NL 109.234.38.212:6677 tcp

Files

memory/1348-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

memory/1348-1-0x00000000024A0000-0x00000000024C2000-memory.dmp

memory/1348-3-0x0000000004AD0000-0x0000000005074000-memory.dmp

memory/1348-2-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1348-5-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1348-4-0x00000000024C0000-0x00000000024E0000-memory.dmp

memory/1348-6-0x0000000005080000-0x0000000005698000-memory.dmp

memory/1348-7-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1348-8-0x0000000004A50000-0x0000000004A62000-memory.dmp

memory/1348-9-0x0000000004A70000-0x0000000004AAC000-memory.dmp

memory/1348-10-0x00000000056B0000-0x00000000056FC000-memory.dmp

memory/1348-11-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1348-12-0x0000000005840000-0x000000000594A000-memory.dmp

memory/1348-13-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

memory/1348-14-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1348-15-0x0000000074A10000-0x00000000751C0000-memory.dmp