Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 07:34

General

  • Target

    RFQAlNASR00388.exe

  • Size

    1.3MB

  • MD5

    f5745634275b611f237d16d9dbf62f94

  • SHA1

    ca7a5863a0d7a3bdf2e17bf4bf1f7fb1ea7937c0

  • SHA256

    24985d941556f95dd3a91d2451d11d91af5633f618cd49a6a4ae31ece2dce41e

  • SHA512

    3a5ca85ab5bcdfc94d7e69dd71bea474bfc9c5f0c68056c3be5c2d53136799f7d44ae682f7021a37e297279ea718aae0ed33c80fbee0331ebb70a2e30f28b915

  • SSDEEP

    12288:aHuIbOgDfCNguCoTPtYhxL9xpVNscBOPIfW:CVaNgCrihFpNsPIe

Malware Config

Extracted

Family

redline

Botnet

lovato

C2

57.128.132.216:55123

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 5 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 5 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQAlNASR00388.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQAlNASR00388.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2444 -s 628
      2⤵
        PID:2848

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp179E.tmp

      Filesize

      46KB

      MD5

      02d2c46697e3714e49f46b680b9a6b83

      SHA1

      84f98b56d49f01e9b6b76a4e21accf64fd319140

      SHA256

      522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

      SHA512

      60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

    • C:\Users\Admin\AppData\Local\Temp\tmp17B4.tmp

      Filesize

      92KB

      MD5

      9dacdf7238269810f4c56455bc02a2b5

      SHA1

      a4fdddc32f512bc7b3973b0026a65c61f0c09823

      SHA256

      96b70070ce33ffeec40bed34dbbed3b79b32d709e5f0c422ce4448b2574a8d8a

      SHA512

      05214bc2eea84586a19a35713a5132a2453ff6dc9b6bfa1304fc2fc9e89e05d250378102b04c692004c38d4caa1a334cdc01b827f0cfaee9d276cbd6ea95cd47

    • memory/2444-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

      Filesize

      4KB

    • memory/2444-1-0x0000000001190000-0x00000000011A8000-memory.dmp

      Filesize

      96KB

    • memory/2444-2-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

      Filesize

      9.9MB

    • memory/2444-3-0x0000000000B00000-0x0000000000B70000-memory.dmp

      Filesize

      448KB

    • memory/2444-95-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

      Filesize

      9.9MB

    • memory/2444-34-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

      Filesize

      4KB

    • memory/2888-6-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/2888-5-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/2888-11-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/2888-13-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/2888-14-0x000000007457E000-0x000000007457F000-memory.dmp

      Filesize

      4KB

    • memory/2888-15-0x0000000074570000-0x0000000074C5E000-memory.dmp

      Filesize

      6.9MB

    • memory/2888-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2888-9-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/2888-7-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/2888-4-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/2888-96-0x0000000074570000-0x0000000074C5E000-memory.dmp

      Filesize

      6.9MB