Analysis
-
max time kernel
125s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-Al NASR-00388.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
RFQ-Al NASR-00388.exe
Resource
win10v2004-20240802-en
General
-
Target
RFQ-Al NASR-00388.exe
-
Size
1.2MB
-
MD5
3061698f92d9687f0db272a011b7233a
-
SHA1
c978701c0f44c0b6786db78260c4cbe7c26119b0
-
SHA256
48c08ffb5d775cc658f104dc91f823ba5f718efa9baa0938f070f1b3f6941d77
-
SHA512
b49bf3de441f1866a833330e8470c5ec0a47181ccac6d18743a1904b1f75515d7d8eb82324a91af61a5bf43ed42d49ef6fd4a8d11c2e586c14c0b096e36042b0
-
SSDEEP
12288:xiGaMjooOgsixdY7ck4nZ2yGcPAk8drp5FF:LP5xdHJ2qVirXFF
Malware Config
Extracted
redline
lovato
57.128.132.216:55123
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4676-4-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4676-4-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ-Al NASR-00388.exedescription pid Process procid_target PID 4192 set thread context of 4676 4192 RFQ-Al NASR-00388.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
jsc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
jsc.exepid Process 4676 jsc.exe 4676 jsc.exe 4676 jsc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
jsc.exedescription pid Process Token: SeDebugPrivilege 4676 jsc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
RFQ-Al NASR-00388.exedescription pid Process procid_target PID 4192 wrote to memory of 4676 4192 RFQ-Al NASR-00388.exe 93 PID 4192 wrote to memory of 4676 4192 RFQ-Al NASR-00388.exe 93 PID 4192 wrote to memory of 4676 4192 RFQ-Al NASR-00388.exe 93 PID 4192 wrote to memory of 4676 4192 RFQ-Al NASR-00388.exe 93 PID 4192 wrote to memory of 4676 4192 RFQ-Al NASR-00388.exe 93 PID 4192 wrote to memory of 4676 4192 RFQ-Al NASR-00388.exe 93 PID 4192 wrote to memory of 4676 4192 RFQ-Al NASR-00388.exe 93 PID 4192 wrote to memory of 4676 4192 RFQ-Al NASR-00388.exe 93 PID 4192 wrote to memory of 3132 4192 RFQ-Al NASR-00388.exe 94 PID 4192 wrote to memory of 3132 4192 RFQ-Al NASR-00388.exe 94 PID 4192 wrote to memory of 3132 4192 RFQ-Al NASR-00388.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ-Al NASR-00388.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-Al NASR-00388.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵PID:3132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4404,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=1320 /prefetch:81⤵PID:2300
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
114KB
MD56e389da3969c19b6dbfb95013149bbb5
SHA1f02ff8f1f1b353e36e4f609d39815c17eba8cee3
SHA2564928d3109995b2faee203bc67184c892e9633fc7df6ad619f5852cf680c36ed4
SHA512af965dc6aa1c26442f883e2d916509bc7766b425768e6a482223fdd1d3a5133c3b1955ad91bd578c387cc260efee4f738095d8ed7bafb7ed953edcc948313636
-
Filesize
56KB
MD57872fbf0a1bb518682babda3d8dc7b4e
SHA19714d4f9f7e7c3b9a99f656b88b3a10cbd9c65e4
SHA256a821fa964b5c5273f0e4696e98815f07113c85436cc468f41f39722e7d2767c2
SHA512f91bb32e1675f822af53ebc91dc5764625b13bc2e365dcf795e1132525857e5d43a18b2f53b4bb70722aef7a0eafd5b3e4d1805f8567d325d34ae41c281832c0
-
Filesize
232KB
MD5c81f4e34f24ce06ee18a6219566e5585
SHA170754cb40ded5ed659589ad77bfe7dfc6eeece8e
SHA256a8a77033ab4d8dab6a78b0ea8d5ab5e555cfd67c5dc8cc03b3669dcb9bea9caa
SHA512565fa7a5bffd9956f9cf462a19a98f924f0c74942dbe83e8a3bb8a64e036829e1322f601817ebbaef9fb56a5f8009e20da5d676b9f720caa25293c54421611a9
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2