Overview
overview
10Static
static
10Bird.exe
windows7-x64
10Bird.exe
windows10-2004-x64
10Crystal.exe
windows7-x64
10Crystal.exe
windows10-2004-x64
10Install.exe
windows7-x64
10Install.exe
windows10-2004-x64
10Minecraft_v4.4.exe
windows7-x64
10Minecraft_v4.4.exe
windows10-2004-x64
10NewHacks.exe
windows7-x64
10NewHacks.exe
windows10-2004-x64
10Setup.exe
windows7-x64
10Setup.exe
windows10-2004-x64
10Software p....5.exe
windows7-x64
9Software p....5.exe
windows10-2004-x64
9file3.exe
windows7-x64
8file3.exe
windows10-2004-x64
8forcenitro2.4.1.exe
windows7-x64
7forcenitro2.4.1.exe
windows10-2004-x64
7nitro_gen.exe
windows7-x64
10nitro_gen.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 04:18
Behavioral task
behavioral1
Sample
Bird.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Bird.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Crystal.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Crystal.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Install.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Install.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Minecraft_v4.4.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Minecraft_v4.4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
NewHacks.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
NewHacks.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Setup.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
Setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Software patch v2.0.5.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Software patch v2.0.5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
file3.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
file3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
forcenitro2.4.1.exe
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
forcenitro2.4.1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
nitro_gen.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
nitro_gen.exe
Resource
win10v2004-20241007-en
General
-
Target
Setup.exe
-
Size
373KB
-
MD5
362fdb2e05006cd91ae2d090179b4642
-
SHA1
b369e9475eea2e950112592944df5f2b88468fb9
-
SHA256
574e22b44f2b1a0af1e8344a2e674d62c246287fa41c9ee3725120bc329a8a89
-
SHA512
03b049d1214d55e0f8c64b617a8ad04c4aed8a4d97a4bb141c8165fb4d77253291c599f949789b88b6c95fee0a84b4d88b4073e5526269a80dfb57aaab46adff
-
SSDEEP
6144:YoJy3BwMMp7pjyp1UpjomkaKL0l7aRHeh/IpxA3q+/spImOc8ghwBmVea0lHC7aZ:5Lpj+Fmkz9ehQQ6sspImOc8owba0lRdf
Malware Config
Extracted
redline
Ninja0809
185.92.73.140:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral11/memory/2476-6-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral11/memory/2476-8-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral11/memory/2476-10-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Redline family
-
SectopRAT payload 3 IoCs
resource yara_rule behavioral11/memory/2476-6-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral11/memory/2476-8-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral11/memory/2476-10-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Sectoprat family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1492 set thread context of 2476 1492 Setup.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1492 Setup.exe Token: SeDebugPrivilege 2476 Setup.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1492 wrote to memory of 2476 1492 Setup.exe 29 PID 1492 wrote to memory of 2476 1492 Setup.exe 29 PID 1492 wrote to memory of 2476 1492 Setup.exe 29 PID 1492 wrote to memory of 2476 1492 Setup.exe 29 PID 1492 wrote to memory of 2476 1492 Setup.exe 29 PID 1492 wrote to memory of 2476 1492 Setup.exe 29 PID 1492 wrote to memory of 2476 1492 Setup.exe 29 PID 1492 wrote to memory of 2476 1492 Setup.exe 29 PID 1492 wrote to memory of 2476 1492 Setup.exe 29 PID 1492 wrote to memory of 2476 1492 Setup.exe 29 PID 1492 wrote to memory of 2476 1492 Setup.exe 29 PID 1492 wrote to memory of 2476 1492 Setup.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\Setup.exeC:\Users\Admin\AppData\Local\Temp\Setup.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2476
-