Overview

overview

10

Static

static

1

594799c095...36.exe

windows7-x64

1

594799c095...36.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 06:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    594799c0954909a57334da81f783f46dcdbf8e275f85376f4e924c0db9629536.exe

  • Size

    1.9MB

  • MD5

    bd061f324fe93a101194c1233d731cc9

  • SHA1

    59613b072c8755d17b22e0d4d908021708545088

  • SHA256

    594799c0954909a57334da81f783f46dcdbf8e275f85376f4e924c0db9629536

  • SHA512

    92f885ea4f332bdb6f25261d32eac13fd632ce1f4ece48a82d15e47d5f0fd248a41c715d0853bf9ce67208d839c006bcf2d19a0e9057d140acf99ec1f593e715

  • SSDEEP

    24576:lWYifwafT73ARA3/bSonGxysx/Z2e91kOZg18wcG4TgCcmYsruug:lidT4wXWwr98NTgCpdvg

Score
10/10
redlinerhadamanthysppilab_20230110discoveryinfostealerstealer

Malware Config

Extracted

Family

redline

Botnet

PPILAB_20230110

C2

179.43.175.174:80

Attributes
  • auth_value

    0b4817e037a97cddb9de49b467d5e0e3

Extracted

Family

rhadamanthys

C2

http://109.206.243.168/upload/libcurl.dll

Signatures

  • Detect rhadamanthys stealer shellcode 3 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Redline family
    redline
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:776
      • C:\Windows\SysWOW64\fontview.exe
        "C:\Windows\SYSWOW64\fontview.exe"
        2⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:2024
    • C:\Users\Admin\AppData\Local\Temp\594799c0954909a57334da81f783f46dcdbf8e275f85376f4e924c0db9629536.exe
      "C:\Users\Admin\AppData\Local\Temp\594799c0954909a57334da81f783f46dcdbf8e275f85376f4e924c0db9629536.exe"
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:3964
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 1268
        2⤵
        • Program crash
        PID:3048
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 1276
        2⤵
        • Program crash
        PID:4192
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3704 -ip 3704
      1⤵
        PID:2768
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3704 -ip 3704
        1⤵
          PID:3400

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\240626953.dll
          Filesize

          442KB

          MD5

          acf51213c2e0b564c28cf0db859c9e38

          SHA1

          0ec6d956dd0299a8d26bd4671af11c9c3fbe2ca0

          SHA256

          643044a62d07c6725a73bce3ee702ad0c15f0fe332165821c5e7f73937f898b7

          SHA512

          15f30f50afdc2838ebdc4f38199f9857c1b9bc43350588abed404dcaef039698a2533dd5c074d2bfc88448a578c2202c033073592a9c551f7a7e4d263e293eed

          Download Submit

        • memory/2024-27-0x0000000002E60000-0x0000000003E60000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/2024-23-0x0000000002990000-0x00000000029AD000-memory.dmp

          Filesize

          116KB

          Download

        • memory/2024-15-0x0000000000BA0000-0x0000000000BD5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2024-21-0x0000000000E80000-0x0000000000F80000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2024-30-0x0000000000BA0000-0x0000000000BD5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2024-31-0x0000000002990000-0x00000000029AD000-memory.dmp

          Filesize

          116KB

          Download

        • memory/2024-25-0x0000000002930000-0x0000000002932000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3704-33-0x0000000002540000-0x00000000026C4000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3704-0-0x0000000002540000-0x00000000026C4000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3704-24-0x000000000AB50000-0x000000000AE0E000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3704-1-0x000000000AB50000-0x000000000AE0E000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3704-22-0x0000000002540000-0x00000000026C4000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3704-2-0x000000000AB50000-0x000000000AE0E000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3964-8-0x0000000003030000-0x0000000003036000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3964-19-0x0000000001650000-0x000000000169C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3964-18-0x000000000AD20000-0x000000000AD5C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3964-17-0x000000000ACC0000-0x000000000ACD2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3964-14-0x000000000AD90000-0x000000000AE9A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3964-13-0x000000000B220000-0x000000000B838000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/3964-12-0x0000000073A40000-0x00000000741F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3964-28-0x0000000073A4E000-0x0000000073A4F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3964-29-0x0000000073A40000-0x00000000741F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3964-6-0x0000000073A4E000-0x0000000073A4F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3964-5-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/3964-3-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download