Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-09-2024 07:34
Static task
static1
Behavioral task
behavioral1
Sample
RFQAlNASR00388.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RFQAlNASR00388.exe
Resource
win10v2004-20240802-en
General
-
Target
RFQAlNASR00388.exe
-
Size
1.3MB
-
MD5
f5745634275b611f237d16d9dbf62f94
-
SHA1
ca7a5863a0d7a3bdf2e17bf4bf1f7fb1ea7937c0
-
SHA256
24985d941556f95dd3a91d2451d11d91af5633f618cd49a6a4ae31ece2dce41e
-
SHA512
3a5ca85ab5bcdfc94d7e69dd71bea474bfc9c5f0c68056c3be5c2d53136799f7d44ae682f7021a37e297279ea718aae0ed33c80fbee0331ebb70a2e30f28b915
-
SSDEEP
12288:aHuIbOgDfCNguCoTPtYhxL9xpVNscBOPIfW:CVaNgCrihFpNsPIe
Malware Config
Extracted
redline
lovato
57.128.132.216:55123
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2888-7-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2888-9-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2888-6-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2888-11-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2888-13-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2888-7-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2888-9-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2888-6-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2888-11-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2888-13-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQAlNASR00388.exedescription pid Process procid_target PID 2444 set thread context of 2888 2444 RFQAlNASR00388.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
jsc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jsc.exepid Process 2888 jsc.exe 2888 jsc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
jsc.exedescription pid Process Token: SeDebugPrivilege 2888 jsc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
RFQAlNASR00388.exedescription pid Process procid_target PID 2444 wrote to memory of 2888 2444 RFQAlNASR00388.exe 30 PID 2444 wrote to memory of 2888 2444 RFQAlNASR00388.exe 30 PID 2444 wrote to memory of 2888 2444 RFQAlNASR00388.exe 30 PID 2444 wrote to memory of 2888 2444 RFQAlNASR00388.exe 30 PID 2444 wrote to memory of 2888 2444 RFQAlNASR00388.exe 30 PID 2444 wrote to memory of 2888 2444 RFQAlNASR00388.exe 30 PID 2444 wrote to memory of 2888 2444 RFQAlNASR00388.exe 30 PID 2444 wrote to memory of 2888 2444 RFQAlNASR00388.exe 30 PID 2444 wrote to memory of 2888 2444 RFQAlNASR00388.exe 30 PID 2444 wrote to memory of 2848 2444 RFQAlNASR00388.exe 32 PID 2444 wrote to memory of 2848 2444 RFQAlNASR00388.exe 32 PID 2444 wrote to memory of 2848 2444 RFQAlNASR00388.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQAlNASR00388.exe"C:\Users\Admin\AppData\Local\Temp\RFQAlNASR00388.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2444 -s 6282⤵PID:2848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD59dacdf7238269810f4c56455bc02a2b5
SHA1a4fdddc32f512bc7b3973b0026a65c61f0c09823
SHA25696b70070ce33ffeec40bed34dbbed3b79b32d709e5f0c422ce4448b2574a8d8a
SHA51205214bc2eea84586a19a35713a5132a2453ff6dc9b6bfa1304fc2fc9e89e05d250378102b04c692004c38d4caa1a334cdc01b827f0cfaee9d276cbd6ea95cd47