Analysis
-
max time kernel
89s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2024 02:26
Static task
static1
Behavioral task
behavioral1
Sample
net8.0-windows.rar
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
RLTool.deps.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
RLTool.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
RLTool.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
RLTool.pdb
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
RLTool.runtimeconfig.json
Resource
win10v2004-20240802-en
General
-
Target
RLTool.exe
-
Size
135KB
-
MD5
d8dd178edd900a25706432da4168433c
-
SHA1
6f97a417179ddcec0a90eeee4dffd76aa2602537
-
SHA256
1e2b6bfb5d47fef87162614b2c6e5cecd46ce78a1d5cf7ea1744bc49dde8db5f
-
SHA512
6f4b1e2c6c35136899f552c127d992ba30d505ba20f0d5da73801d43d1b1c0a7eb4029a544f5f5eb46a350c7555d4e6c6be6c55db33c4c6a7363f827b68857d8
-
SSDEEP
3072:DjK4UGDHXrQ8hy7qgpHulWD9ZvZ5Pf3Ca10xuZ04ntfO6hBut:DjK4TDUqgpqWDLZ5H+xuZ04FhA
Malware Config
Extracted
stealerium
7960275769:AAFsNj7Q9GrsBKzVEmN2fGOLvIQWelRdwOA
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" RLTool.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" RLTool.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation build.bin -
Executes dropped EXE 1 IoCs
pid Process 2640 build.bin -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.bin Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.bin Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.bin -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini RLTool.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 41 icanhazip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.webp" RLTool.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build.bin Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 4704 netsh.exe 3568 cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 build.bin Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier build.bin -
Delays execution with timeout.exe 1 IoCs
pid Process 3076 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 4300 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 4876 RLTool.exe 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin 2640 build.bin -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4876 RLTool.exe Token: SeDebugPrivilege 2640 build.bin Token: SeSecurityPrivilege 4260 msiexec.exe Token: SeDebugPrivilege 4300 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4876 RLTool.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4876 wrote to memory of 2640 4876 RLTool.exe 92 PID 4876 wrote to memory of 2640 4876 RLTool.exe 92 PID 4876 wrote to memory of 2640 4876 RLTool.exe 92 PID 2640 wrote to memory of 3568 2640 build.bin 94 PID 2640 wrote to memory of 3568 2640 build.bin 94 PID 2640 wrote to memory of 3568 2640 build.bin 94 PID 3568 wrote to memory of 4308 3568 cmd.exe 97 PID 3568 wrote to memory of 4308 3568 cmd.exe 97 PID 3568 wrote to memory of 4308 3568 cmd.exe 97 PID 3568 wrote to memory of 4704 3568 cmd.exe 98 PID 3568 wrote to memory of 4704 3568 cmd.exe 98 PID 3568 wrote to memory of 4704 3568 cmd.exe 98 PID 3568 wrote to memory of 2132 3568 cmd.exe 99 PID 3568 wrote to memory of 2132 3568 cmd.exe 99 PID 3568 wrote to memory of 2132 3568 cmd.exe 99 PID 2640 wrote to memory of 4284 2640 build.bin 102 PID 2640 wrote to memory of 4284 2640 build.bin 102 PID 2640 wrote to memory of 4284 2640 build.bin 102 PID 4284 wrote to memory of 3516 4284 cmd.exe 104 PID 4284 wrote to memory of 3516 4284 cmd.exe 104 PID 4284 wrote to memory of 3516 4284 cmd.exe 104 PID 4284 wrote to memory of 2812 4284 cmd.exe 105 PID 4284 wrote to memory of 2812 4284 cmd.exe 105 PID 4284 wrote to memory of 2812 4284 cmd.exe 105 PID 2640 wrote to memory of 4620 2640 build.bin 108 PID 2640 wrote to memory of 4620 2640 build.bin 108 PID 2640 wrote to memory of 4620 2640 build.bin 108 PID 4620 wrote to memory of 964 4620 cmd.exe 110 PID 4620 wrote to memory of 964 4620 cmd.exe 110 PID 4620 wrote to memory of 964 4620 cmd.exe 110 PID 4620 wrote to memory of 4300 4620 cmd.exe 111 PID 4620 wrote to memory of 4300 4620 cmd.exe 111 PID 4620 wrote to memory of 4300 4620 cmd.exe 111 PID 4620 wrote to memory of 3076 4620 cmd.exe 112 PID 4620 wrote to memory of 3076 4620 cmd.exe 112 PID 4620 wrote to memory of 3076 4620 cmd.exe 112 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoClose = "1" RLTool.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" RLTool.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" RLTool.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoResetToOEM = "1" RLTool.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.bin -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.bin
Processes
-
C:\Users\Admin\AppData\Local\Temp\RLTool.exe"C:\Users\Admin\AppData\Local\Temp\RLTool.exe"1⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4876 -
C:\Users\Admin\AppData\Roaming\build.bin"C:\Users\Admin\AppData\Roaming\build.bin"2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2640 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:4308
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4704
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
- System Location Discovery: System Language Discovery
PID:2132
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:3516
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2812
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1b168266-ba7b-4255-87ec-f58efbc427db.bat"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:964
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 26404⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
-
C:\Windows\SysWOW64\timeout.exetimeout /T 2 /NOBREAK4⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3076
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4260
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\1f7494d3696a1afeac06a8ddab9ed526\Admin@DSEYXUOD_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\1f7494d3696a1afeac06a8ddab9ed526\Admin@DSEYXUOD_en-US\Directories\OneDrive.txt
Filesize25B
MD5966247eb3ee749e21597d73c4176bd52
SHA11e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA2568ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa
-
C:\Users\Admin\AppData\Local\1f7494d3696a1afeac06a8ddab9ed526\Admin@DSEYXUOD_en-US\Directories\Startup.txt
Filesize24B
MD568c93da4981d591704cea7b71cebfb97
SHA1fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA51263455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402
-
C:\Users\Admin\AppData\Local\1f7494d3696a1afeac06a8ddab9ed526\Admin@DSEYXUOD_en-US\Directories\Videos.txt
Filesize23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
Filesize
6KB
MD5211bea1a19e2a4612fbeff18f1cc913c
SHA18ec73e9eca88e4a24ba6a584d1c542c252cf0595
SHA256aa6022aae6e6f02592f5738015280a0750488adb645e9cbb645fec64ee537b09
SHA51281ae103574c83c780e0464829d9a339dde245315fdcb0b30188bfac8a68f4e910bc1079b39acc4f725e65be476efb6509b8e8c39046ca5fbe88e222f08a27324
-
C:\Users\Admin\AppData\Local\1f7494d3696a1afeac06a8ddab9ed526\Admin@DSEYXUOD_en-US\System\Process.txt
Filesize4KB
MD509676d0b3d1f26e68f403c7a214bbd01
SHA19858f5b320b31e894e364c0878c2465eeb2b8db7
SHA256a39a03eece7be496914cef242598970177c5c1d585f1facee92e8593112fa80e
SHA512fe390ec60acf7e5bda5b95eb615d43137ae6afda9e885bd43be39ee7fcf38e2570548fc929a8ca37eeb1e8caf2fb85c297405a8cce61bf8eb7571934748a3a89
-
C:\Users\Admin\AppData\Local\1f7494d3696a1afeac06a8ddab9ed526\Admin@DSEYXUOD_en-US\System\ProductKey.txt
Filesize31B
MD5390bf9273709c4e84ca66ff94c05c86f
SHA16416d2c5dc0c1769296ff019c398f7ce99e57151
SHA2563f9b0d4d54ef65cb1244663ce2adf691dc7e98d2ed72c3b290bbe374c0c6b728
SHA51211930bdc569136403189d17dac5c9468eac41d6eb76bfb558d36c10410f34d59bcdc2dbea449e7f2e1d38f2710974e123ee4a0c4a2fb5c19448acb99020b3b15
-
Filesize
2B
MD514bfa6bb14875e45bba028a21ed38046
SHA1a72b20062ec2c47ab2ceb97ac1bee818f8b6c6cb
SHA256c75cb66ae28d8ebc6eded002c28a8ba0d06d3a78c6b5cbf9b2ade051f0775ac4
SHA51212dfe9621346c4db705d8c909e28a4509fab47649b4bcf7e100e4f9d97a5c1dcf19e03be8c74fd30244a0a1764aad06fae673cdd04c408070efab1b4395dd61b
-
Filesize
152B
MD538b7c5a3f50c596b1cd39d0f53bbb9b8
SHA1bf6ec36dffbe3d1b807507ff132565a2616c236e
SHA2568d79ff2562ee8bf3aaf4aaf3349c7937bd686c219155eb71084571f8b138998c
SHA51213c20042dba096c6cc7f3b26c6378431ca47a1ec6e668ff194f8b50a37d772860100bd5eba1d48ec89aed0e2b9b0a142e634cf76bd25ee3f886ce84cfffb3aae
-
Filesize
10KB
MD5299f0932c44f9b012e75fd32cdb417c6
SHA15c93b1ed26ef002d9e718e00d35cf128c3bb889a
SHA256bf94c1ecfe5e2b8a0265cc707b9ed557ea7879fc2e9d73ec5c3ba8407373756c
SHA51255daa417367de0b494159afcf31a75053559ab82798778d715e0bc5bb54b44d749a21136e70407a6d13bc70e8e8fc41b93f1176d852a7b08f209ddff1427410b
-
Filesize
3.6MB
MD58b561e03d153ec263381d6aa1bd1f109
SHA1593bf8a787cf5b186d1bb117515d137f154e1503
SHA2560d11e0d8d1204d1e8a953d13cd3e88e4715e8c06d8c695d32eb41a80207ce707
SHA51250c98ead4e1635c5b27b4f094a7feb0b315bca054251e3e70541e87c48c3e1b93adb24ba21f05b2fa3a90fd6b8e38591e223980140737841f4604c66b14845c1