Analysis
-
max time kernel
135s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:13
Static task
static1
Behavioral task
behavioral1
Sample
8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe
Resource
win10v2004-20241007-en
General
-
Target
8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe
-
Size
1.6MB
-
MD5
0de6f1d98b72c2b6dd14f1de17212162
-
SHA1
496a24d09fba3bc5414365e4ac32c04a2b9391e2
-
SHA256
8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4
-
SHA512
96ba787de04bdb05f8dcf7b6e954404d1a67f589e5e80b4cc5162a5b9a827270e10e47ea13f2d5b5bcde6a1a510487583a00dd3f5fcffd641a1957a89309d3bd
-
SSDEEP
24576:I9AmP6qNqlGVRFqeMxY400MAuZo7Lnm1todLMtKSHZynPtYy4IN71lyg+Fwzr:Ib6qNqlGExY38AN/Zyl53l1lyxqzr
Malware Config
Extracted
redline
februm2
5.75.172.247:11969
-
auth_value
85624adef57d62e6e1b978ecfa9417da
Extracted
rhadamanthys
http://109.206.243.168/upload/libcurl.dll
Signatures
-
Detect rhadamanthys stealer shellcode 2 IoCs
resource yara_rule behavioral2/memory/2872-52-0x00000000021D0000-0x00000000021EC000-memory.dmp family_rhadamanthys behavioral2/memory/2872-54-0x00000000021D0000-0x00000000021EC000-memory.dmp family_rhadamanthys -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/3308-35-0x0000000000400000-0x0000000000432000-memory.dmp family_redline -
Redline family
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4280 created 2668 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 51 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe -
Loads dropped DLL 1 IoCs
pid Process 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2872 fontview.exe 2872 fontview.exe 2872 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4280 set thread context of 3308 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1584 4280 WerFault.exe 83 5036 4280 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngentask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontview.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID fontview.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 2312 powershell.exe 2312 powershell.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2312 powershell.exe Token: SeShutdownPrivilege 2872 fontview.exe Token: SeCreatePagefilePrivilege 2872 fontview.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4280 wrote to memory of 2312 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 85 PID 4280 wrote to memory of 2312 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 85 PID 4280 wrote to memory of 2312 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 85 PID 4280 wrote to memory of 3308 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 96 PID 4280 wrote to memory of 3308 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 96 PID 4280 wrote to memory of 3308 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 96 PID 4280 wrote to memory of 3308 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 96 PID 4280 wrote to memory of 3308 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 96 PID 4280 wrote to memory of 2872 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 97 PID 4280 wrote to memory of 2872 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 97 PID 4280 wrote to memory of 2872 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 97 PID 4280 wrote to memory of 2872 4280 8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe 97
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2668
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe"C:\Users\Admin\AppData\Local\Temp\8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgAwAA==2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 9962⤵
- Program crash
PID:1584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 9722⤵
- Program crash
PID:5036
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4280 -ip 42801⤵PID:1428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4280 -ip 42801⤵PID:3988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
334KB
MD52303afbb371daf8ea5b5a4e231773781
SHA1a0956adc94c9cce4a2aeb399328accde1b1326c6
SHA256efdb9aa53580c9f3a8200e1a401d1c63c9e3a29a046857f6b89be0a64c2a1a31
SHA5129aab7c7b55d507f28e688c5b8a41811069efb8d35bfbd92de0ffd86e1ceca2e5e681b5c85d51abd139a19f9c48f7a14c5b7e4b7ed540bd5d4a574c7d34d5857f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82