Malware Analysis Report

2024-11-30 02:34

Sample ID 241030-c117ssvcma
Target Eclipse RAT.zip
SHA256 eca49914c9c9dbaad9e8ee1aaccfecb0d88a6fd610c02fbf873935467b7bf114
Tags
lumma redline rhadamanthys discovery infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eca49914c9c9dbaad9e8ee1aaccfecb0d88a6fd610c02fbf873935467b7bf114

Threat Level: Known bad

The file Eclipse RAT.zip was found to be: Known bad.

Malicious Activity Summary

lumma redline rhadamanthys discovery infostealer stealer

Rhadamanthys family

Lumma family

Lumma Stealer, LummaC

Redline family

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine payload

RedLine

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 02:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 02:33

Reported

2024-10-30 02:43

Platform

win10ltsc2021-20241023-en

Max time kernel

434s

Max time network

437s

Command Line

sihost.exe

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Rhadamanthys

stealer rhadamanthys

Rhadamanthys family

rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2700 created 2852 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\system32\sihost.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Eclipse.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\build.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO85E35058\EclipseLoaderX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO85E64E58\EclipseLoaderX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO85E68348\EclipseLoaderX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Eclipse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\main.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3672 wrote to memory of 1848 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe
PID 3672 wrote to memory of 1848 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe
PID 3672 wrote to memory of 1848 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe
PID 1848 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 1848 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 1848 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 1848 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
PID 1848 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
PID 1848 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
PID 2456 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 2456 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 2456 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Eclipse.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 2700 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 2700 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 2700 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 2700 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 2700 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 3672 wrote to memory of 2060 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO85E35058\EclipseLoaderX.exe
PID 3672 wrote to memory of 2060 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO85E35058\EclipseLoaderX.exe
PID 3672 wrote to memory of 2060 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO85E35058\EclipseLoaderX.exe
PID 3672 wrote to memory of 3736 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO85E64E58\EclipseLoaderX.exe
PID 3672 wrote to memory of 3736 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO85E64E58\EclipseLoaderX.exe
PID 3672 wrote to memory of 3736 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO85E64E58\EclipseLoaderX.exe
PID 3672 wrote to memory of 5060 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO85E68348\EclipseLoaderX.exe
PID 3672 wrote to memory of 5060 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO85E68348\EclipseLoaderX.exe
PID 3672 wrote to memory of 5060 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO85E68348\EclipseLoaderX.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Eclipse RAT.zip"

C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe

"C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe"

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Users\Admin\AppData\Local\Temp\Eclipse.exe

"C:\Users\Admin\AppData\Local\Temp\Eclipse.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3040 -ip 3040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 452

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Users\Admin\AppData\Local\Temp\7zO85E35058\EclipseLoaderX.exe

"C:\Users\Admin\AppData\Local\Temp\7zO85E35058\EclipseLoaderX.exe"

C:\Users\Admin\AppData\Local\Temp\7zO85E64E58\EclipseLoaderX.exe

"C:\Users\Admin\AppData\Local\Temp\7zO85E64E58\EclipseLoaderX.exe"

C:\Users\Admin\AppData\Local\Temp\7zO85E68348\EclipseLoaderX.exe

"C:\Users\Admin\AppData\Local\Temp\7zO85E68348\EclipseLoaderX.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 sideindexfollowragelrew.pw udp
US 8.8.8.8:53 cleartotalfisherwo.shop udp
US 8.8.8.8:53 worryfillvolcawoi.shop udp
US 8.8.8.8:53 enthusiasimtitleow.shop udp
US 8.8.8.8:53 dismissalcylinderhostw.shop udp
US 8.8.8.8:53 affordcharmcropwo.shop udp
US 8.8.8.8:53 diskretainvigorousiw.shop udp
US 8.8.8.8:53 communicationgenerwo.shop udp
US 8.8.8.8:53 pillowbrocccolipe.shop udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe

MD5 e94abe514202de0a3e24c0f45ccea8a6
SHA1 27770fa35ea2ca6e1cd87f669e21f5e29cfaa381
SHA256 c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606
SHA512 1fe72a35e6e0da642c42848d5009538ab97d5e833466abd25f2aa03e96f8b637a2a9a30054c8ebdf4cdf80570e39f387c9b6a535105a3e9b36b846570114c0d3

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 e5fb57e8214483fd395bd431cb3d1c4b
SHA1 60e22fc9e0068c8156462f003760efdcac82766b
SHA256 e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684
SHA512 dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89

C:\Users\Admin\AppData\Local\Temp\Eclipse.exe

MD5 d1b974d3816357532a0de6b388c5c361
SHA1 fef9e938027e649ebbcffb074c65d46b2d0a1621
SHA256 f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499
SHA512 c4025fd2cc9c08c7319fc9574913d793954ba93b01288a5f03cf12beeaa40617c182f850ab40c1be434c80024632f395a355622f1bc4d0ce4dae987d43868f35

memory/3040-151-0x0000000000BD0000-0x0000000000C26000-memory.dmp

memory/1848-159-0x0000000000400000-0x0000000001020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main.exe

MD5 e1e28c3acf184aa364c9ed9a30ab7289
SHA1 1a173a6f4ec39fe467f1b4b91c9fad794167ac1c
SHA256 03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306
SHA512 e8d38c9a144b7f4531e617de45dc240042a7b9ce7dd5766eb2f763b505d9786acccf54f3a03ff3639c36c957e2d14d34b5b59196170eb1b6b5f17e8a417d6991

memory/2700-175-0x0000000000D90000-0x0000000000E18000-memory.dmp

memory/2456-176-0x0000000000400000-0x0000000000F9C000-memory.dmp

memory/2700-179-0x0000000003260000-0x0000000003660000-memory.dmp

memory/2700-180-0x0000000003260000-0x0000000003660000-memory.dmp

memory/2700-181-0x00007FFF45290000-0x00007FFF45488000-memory.dmp

memory/2700-183-0x0000000076C90000-0x0000000076ECA000-memory.dmp

memory/1772-184-0x0000000000CE0000-0x0000000000CE9000-memory.dmp

memory/2700-185-0x0000000000D90000-0x0000000000E18000-memory.dmp

memory/1772-187-0x0000000002A10000-0x0000000002E10000-memory.dmp

memory/1772-188-0x00007FFF45290000-0x00007FFF45488000-memory.dmp

memory/1772-190-0x0000000076C90000-0x0000000076ECA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zO85E35058\EclipseLoaderX.exe

MD5 9c9245810bad661af3d6efec543d34fd
SHA1 93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d
SHA256 f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478
SHA512 90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767

memory/2060-203-0x0000000000640000-0x000000000068B000-memory.dmp

memory/2060-208-0x0000000000640000-0x000000000068B000-memory.dmp

memory/3736-221-0x0000000000930000-0x000000000097B000-memory.dmp

memory/3736-226-0x0000000000930000-0x000000000097B000-memory.dmp

memory/5060-239-0x0000000001480000-0x00000000014CB000-memory.dmp

memory/5060-244-0x0000000001480000-0x00000000014CB000-memory.dmp