Malware Analysis Report

2024-11-30 02:26

Sample ID 241029-2bkwys1eml
Target Eclipse RAT.zip
SHA256 eca49914c9c9dbaad9e8ee1aaccfecb0d88a6fd610c02fbf873935467b7bf114
Tags
lumma redline rhadamanthys discovery infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eca49914c9c9dbaad9e8ee1aaccfecb0d88a6fd610c02fbf873935467b7bf114

Threat Level: Known bad

The file Eclipse RAT.zip was found to be: Known bad.

Malicious Activity Summary

lumma redline rhadamanthys discovery infostealer stealer

Rhadamanthys

Rhadamanthys family

Suspicious use of NtCreateUserProcessOtherParentProcess

Redline family

Lumma Stealer, LummaC

Lumma family

RedLine

RedLine payload

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 22:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 22:24

Reported

2024-10-29 22:27

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Rhadamanthys

stealer rhadamanthys

Rhadamanthys family

rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3480 created 2600 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\system32\svchost.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Eclipse.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO040A9F78\EclipseLoaderX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\main.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO040DF868\EclipseLoaderX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO04080978\EclipseLoaderX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO04070208\EclipseLoaderX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Eclipse.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 64 wrote to memory of 2436 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe
PID 64 wrote to memory of 2436 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe
PID 64 wrote to memory of 2436 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe
PID 2436 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 2436 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 2436 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 2436 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
PID 2436 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
PID 2436 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
PID 888 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 888 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 888 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 3480 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 3480 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 3480 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 3480 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 3480 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 64 wrote to memory of 4060 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO040DF868\EclipseLoaderX.exe
PID 64 wrote to memory of 4060 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO040DF868\EclipseLoaderX.exe
PID 64 wrote to memory of 4060 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO040DF868\EclipseLoaderX.exe
PID 64 wrote to memory of 2472 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO040A9F78\EclipseLoaderX.exe
PID 64 wrote to memory of 2472 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO040A9F78\EclipseLoaderX.exe
PID 64 wrote to memory of 2472 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO040A9F78\EclipseLoaderX.exe
PID 64 wrote to memory of 2452 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO04080978\EclipseLoaderX.exe
PID 64 wrote to memory of 2452 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO04080978\EclipseLoaderX.exe
PID 64 wrote to memory of 2452 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO04080978\EclipseLoaderX.exe
PID 64 wrote to memory of 1188 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO04070208\EclipseLoaderX.exe
PID 64 wrote to memory of 1188 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO04070208\EclipseLoaderX.exe
PID 64 wrote to memory of 1188 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO04070208\EclipseLoaderX.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Eclipse RAT.zip"

C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe

"C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe"

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Users\Admin\AppData\Local\Temp\Eclipse.exe

"C:\Users\Admin\AppData\Local\Temp\Eclipse.exe"

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Users\Admin\AppData\Local\Temp\7zO040DF868\EclipseLoaderX.exe

"C:\Users\Admin\AppData\Local\Temp\7zO040DF868\EclipseLoaderX.exe"

C:\Users\Admin\AppData\Local\Temp\7zO040A9F78\EclipseLoaderX.exe

"C:\Users\Admin\AppData\Local\Temp\7zO040A9F78\EclipseLoaderX.exe"

C:\Users\Admin\AppData\Local\Temp\7zO04080978\EclipseLoaderX.exe

"C:\Users\Admin\AppData\Local\Temp\7zO04080978\EclipseLoaderX.exe"

C:\Users\Admin\AppData\Local\Temp\7zO04070208\EclipseLoaderX.exe

"C:\Users\Admin\AppData\Local\Temp\7zO04070208\EclipseLoaderX.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 45.15.156.127:23000 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
NL 45.15.156.127:23000 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
US 8.8.8.8:53 sideindexfollowragelrew.pw udp
US 8.8.8.8:53 cleartotalfisherwo.shop udp
US 8.8.8.8:53 worryfillvolcawoi.shop udp
US 8.8.8.8:53 enthusiasimtitleow.shop udp
US 8.8.8.8:53 dismissalcylinderhostw.shop udp
US 8.8.8.8:53 affordcharmcropwo.shop udp
US 8.8.8.8:53 diskretainvigorousiw.shop udp
US 8.8.8.8:53 communicationgenerwo.shop udp
US 8.8.8.8:53 pillowbrocccolipe.shop udp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
US 8.8.8.8:53 sideindexfollowragelrew.pw udp
US 8.8.8.8:53 cleartotalfisherwo.shop udp
US 8.8.8.8:53 worryfillvolcawoi.shop udp
US 8.8.8.8:53 enthusiasimtitleow.shop udp
US 8.8.8.8:53 dismissalcylinderhostw.shop udp
US 8.8.8.8:53 affordcharmcropwo.shop udp
US 8.8.8.8:53 diskretainvigorousiw.shop udp
US 8.8.8.8:53 communicationgenerwo.shop udp
US 8.8.8.8:53 pillowbrocccolipe.shop udp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
NL 45.15.156.127:23000 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp
NL 45.15.156.127:23000 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe

MD5 e94abe514202de0a3e24c0f45ccea8a6
SHA1 27770fa35ea2ca6e1cd87f669e21f5e29cfaa381
SHA256 c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606
SHA512 1fe72a35e6e0da642c42848d5009538ab97d5e833466abd25f2aa03e96f8b637a2a9a30054c8ebdf4cdf80570e39f387c9b6a535105a3e9b36b846570114c0d3

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 e5fb57e8214483fd395bd431cb3d1c4b
SHA1 60e22fc9e0068c8156462f003760efdcac82766b
SHA256 e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684
SHA512 dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89

C:\Users\Admin\AppData\Local\Temp\Eclipse.exe

MD5 d1b974d3816357532a0de6b388c5c361
SHA1 fef9e938027e649ebbcffb074c65d46b2d0a1621
SHA256 f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499
SHA512 c4025fd2cc9c08c7319fc9574913d793954ba93b01288a5f03cf12beeaa40617c182f850ab40c1be434c80024632f395a355622f1bc4d0ce4dae987d43868f35

memory/4372-28-0x00000000006E0000-0x0000000000736000-memory.dmp

memory/2436-35-0x0000000000400000-0x0000000001020000-memory.dmp

memory/4372-37-0x0000000005330000-0x0000000005948000-memory.dmp

memory/4372-38-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/4372-40-0x0000000004E20000-0x0000000004F2A000-memory.dmp

memory/4372-41-0x0000000004D10000-0x0000000004D4C000-memory.dmp

memory/4372-42-0x0000000004D50000-0x0000000004D9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main.exe

MD5 e1e28c3acf184aa364c9ed9a30ab7289
SHA1 1a173a6f4ec39fe467f1b4b91c9fad794167ac1c
SHA256 03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306
SHA512 e8d38c9a144b7f4531e617de45dc240042a7b9ce7dd5766eb2f763b505d9786acccf54f3a03ff3639c36c957e2d14d34b5b59196170eb1b6b5f17e8a417d6991

memory/3480-51-0x0000000000530000-0x00000000005B8000-memory.dmp

memory/888-53-0x0000000000400000-0x0000000000F9C000-memory.dmp

memory/3480-54-0x0000000003D20000-0x0000000004120000-memory.dmp

memory/3480-55-0x0000000003D20000-0x0000000004120000-memory.dmp

memory/3480-56-0x00007FF902290000-0x00007FF902485000-memory.dmp

memory/1688-59-0x0000000000AC0000-0x0000000000AC9000-memory.dmp

memory/3480-58-0x0000000076B30000-0x0000000076D45000-memory.dmp

memory/3480-60-0x0000000000530000-0x00000000005B8000-memory.dmp

memory/1688-62-0x0000000002750000-0x0000000002B50000-memory.dmp

memory/1688-63-0x00007FF902290000-0x00007FF902485000-memory.dmp

memory/1688-65-0x0000000076B30000-0x0000000076D45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zO040DF868\EclipseLoaderX.exe

MD5 9c9245810bad661af3d6efec543d34fd
SHA1 93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d
SHA256 f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478
SHA512 90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767

memory/4060-75-0x0000000000440000-0x000000000048B000-memory.dmp

memory/4060-80-0x0000000000440000-0x000000000048B000-memory.dmp

memory/2472-90-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2472-95-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2452-105-0x0000000000FA0000-0x0000000000FEB000-memory.dmp

memory/2452-110-0x0000000000FA0000-0x0000000000FEB000-memory.dmp

memory/1188-120-0x0000000000E70000-0x0000000000EBB000-memory.dmp

memory/1188-125-0x0000000000E70000-0x0000000000EBB000-memory.dmp