Overview

overview

10

Static

static

3

Trainer v5.7.2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 01:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trainer v5.7.2.exe

  • Size

    1.1MB

  • MD5

    845b70c2d9468badb00edc87d4f4230a

  • SHA1

    0ca9d48b0fe87f711a2fe44d631c5f5fb87be41e

  • SHA256

    1a5968df13264103fccc2177d3293111db4f1ca9d5767cf581835e3ce2448cac

  • SHA512

    f3f1e507d907ed438ab8f5c80dd940fda0522f2c97615a23c777044a9f880bfbc4509530aa2cb5075c1296d72abfbab9c569d8cc0df6637ecb87cb66af19d4ae

  • SSDEEP

    24576:WsjvrXwxJzL+2mTyuHT6xz40yBwttNt36rug8V:WsrrXwJg7ieB9X

Score
10/10
redlinesectopratleondiscoveryinfostealerpersistencerattrojan

Malware Config

Extracted

Family

redline

Botnet

LEON

C2

45.67.228.152:54641

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trainer v5.7.2.exe
    "C:\Users\Admin\AppData\Local\Temp\Trainer v5.7.2.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3468
    • C:\Windows\SysWOW64\dllhost.exe
      dllhost.exe
      2⤵
        PID:3064
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cmd < Ritornata.wmz
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4936
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1912
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^rWsNpeeOxAQgsrlZZQLpMsFNgTHekdUFQVfbSYObgokrMRtZDwlfykQLsEmfcqDtGlbcOMuqegVEuBqvPHnlyEmEyDyhmnehEubBxIkRUlhQdkFQErANBz$" Getto.wmz
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4848
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Per.exe.com
            Per.exe.com Z
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:116
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Per.exe.com
              C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Per.exe.com Z
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:2696
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
                C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:464
          • C:\Windows\SysWOW64\PING.EXE
            ping localhost
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Getto.wmz
      Filesize

      872KB

      MD5

      5e20d2e2ebd91e758afc96fad50472aa

      SHA1

      3f059c7209b44a07ea5104659a3d46f949d9f6e0

      SHA256

      bb18171f88ae5d40add076ffcb50b9ab79ae013488948c311744c2cc26f9f1f9

      SHA512

      1db69b440fad2f54083fd784db53202b5bfb6127d65047c6ec97d22977820d2ea021d0f9e53cbef6d48080b241a37454d39431463a7ae81db7939b8c2f7317d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Invece.wmz
      Filesize

      1.2MB

      MD5

      e619b9a49218d8e9a3b06bcfd4bf064b

      SHA1

      077b729216cfe6e2cbcdc59c68b482e007e7d82e

      SHA256

      d4697bb20a543e72b69469c1c931c3545434556ad3df91107a8cb1d4ae2ed98e

      SHA512

      b2300cbec099c4f627637e30d35543f06ed81ab2c5b324dfdd3a95a09a2b7f3e0835787350fba5b56491e8f334df4cfb01b298004702b36530038d21b45a5678

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Per.exe.com
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
      Filesize

      63KB

      MD5

      0d5df43af2916f47d00c1573797c1a13

      SHA1

      230ab5559e806574d26b4c20847c368ed55483b0

      SHA256

      c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

      SHA512

      f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritornata.wmz
      Filesize

      463B

      MD5

      bd379a3d464314a29676b66a2cf239de

      SHA1

      39d25e1d968f342fd617a2c743362b14da4d8378

      SHA256

      06ab28491df2981c081c22d7368986df2e724ad152ae7b7d34ef4d1e9f958f8d

      SHA512

      d19a89a7d994c86063be0d47685f7d69a39ebecd7bbcb432bc1f86df22000c96b7686254b5873deac79d02f3c3e01a72b95c0df7da1ae6a17bf85507cbbaf756

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volge.wmz
      Filesize

      116KB

      MD5

      f3014d0f52ab2788acff6e72d174e855

      SHA1

      c40fcdf53cce76b01d0e24c586dd3f61bebe0886

      SHA256

      8abd557b7ecc9efdc470dc47bec62c8620a62c892387d98fe99b3157053fbf7f

      SHA512

      9952724525acfccbbee1d8803fd77fdecdeec1eb4570b8460245db51d46bff202e2d9d6fa01d157d1ddffaabc2693bbe82c37fa10933db8e86266fa20792bd68

      Download Submit

    • memory/464-24-0x0000000000B00000-0x0000000000B22000-memory.dmp

      Filesize

      136KB

      Download

    • memory/464-28-0x00000000056A0000-0x0000000005CB8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/464-29-0x0000000005100000-0x0000000005112000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-30-0x0000000005230000-0x000000000533A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/464-31-0x0000000005160000-0x000000000519C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/464-32-0x00000000051A0000-0x00000000051EC000-memory.dmp

      Filesize

      304KB

      Download