Overview
overview
10Static
static
10Bird.exe
windows7-x64
10Bird.exe
windows10-2004-x64
10CSGO FREE HACK.exe
windows7-x64
10CSGO FREE HACK.exe
windows10-2004-x64
10CSGO FREEHACK.exe
windows7-x64
3CSGO FREEHACK.exe
windows10-2004-x64
3CSGhost-v4.1.exe
windows7-x64
8CSGhost-v4.1.exe
windows10-2004-x64
10Install.exe
windows7-x64
10Install.exe
windows10-2004-x64
10Installer.exe
windows7-x64
10Installer.exe
windows10-2004-x64
10Installer2.exe
windows7-x64
10Installer2.exe
windows10-2004-x64
10Kiddions Mod MENU.exe
windows7-x64
7Kiddions Mod MENU.exe
windows10-2004-x64
7Minecraft_v4.5.exe
windows7-x64
10Minecraft_v4.5.exe
windows10-2004-x64
10Vape Crack.exe
windows7-x64
10Vape Crack.exe
windows10-2004-x64
10Vape Patch.exe
windows7-x64
10Vape Patch.exe
windows10-2004-x64
10Vape_V4.exe
windows7-x64
10Vape_V4.exe
windows10-2004-x64
10launcher.exe
windows7-x64
10launcher.exe
windows10-2004-x64
10nixware crack.exe
windows7-x64
3nixware crack.exe
windows10-2004-x64
3Analysis
-
max time kernel
136s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 16:28
Behavioral task
behavioral1
Sample
Bird.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Bird.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
CSGO FREE HACK.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
CSGO FREE HACK.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
CSGO FREEHACK.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
CSGO FREEHACK.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
CSGhost-v4.1.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
CSGhost-v4.1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Install.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Install.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Installer.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
Installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Installer2.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Installer2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Kiddions Mod MENU.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Kiddions Mod MENU.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Minecraft_v4.5.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Minecraft_v4.5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Vape Crack.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Vape Crack.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Vape Patch.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Vape Patch.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Vape_V4.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
Vape_V4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
launcher.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
launcher.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
nixware crack.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
nixware crack.exe
Resource
win10v2004-20241007-en
General
-
Target
Vape Crack.exe
-
Size
356KB
-
MD5
179dbbdb6e22f978115168d87a70ab33
-
SHA1
324a73e17fdcada034d3ad841286f9d6b5873fcb
-
SHA256
258445b5c086f67d1157c2998968bad83a64ca3bab88bfd9d73654819bb46463
-
SHA512
237a58b819f086f9ed2215e99d7b13ed027d252e47a3ba17deb5b28e3db27f853f2d2d75bdbfb3b875dec8dc0fa4fb059e3be6e41dc3b47b2020c2298a6b0358
-
SSDEEP
6144:zo9QlVmhcIS/rwO+l7qYspB2NnYXmJ8tuy2a9W17fyF45pDBKoydJ:zdxrwHRqxQNYXO8tt2aw1DyWPDO
Malware Config
Extracted
redline
@bestiefFcs
37.1.213.214:63028
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral19/memory/11756-2516-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Redline family
-
SectopRAT payload 1 IoCs
resource yara_rule behavioral19/memory/11756-2516-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Sectoprat family
-
System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs
Abuse Regasm to proxy execution of malicious code.
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\RegAsm.exe Vape Crack.exe Key opened \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe Vape Crack.exe -
Executes dropped EXE 1 IoCs
pid Process 11756 RegAsm.exe -
Loads dropped DLL 2 IoCs
pid Process 1636 Vape Crack.exe 11756 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1636 set thread context of 11756 1636 Vape Crack.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vape Crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1200 powershell.exe 2988 powershell.exe 1636 Vape Crack.exe 1636 Vape Crack.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 1200 powershell.exe Token: SeIncreaseQuotaPrivilege 1200 powershell.exe Token: SeSecurityPrivilege 1200 powershell.exe Token: SeTakeOwnershipPrivilege 1200 powershell.exe Token: SeLoadDriverPrivilege 1200 powershell.exe Token: SeSystemProfilePrivilege 1200 powershell.exe Token: SeSystemtimePrivilege 1200 powershell.exe Token: SeProfSingleProcessPrivilege 1200 powershell.exe Token: SeIncBasePriorityPrivilege 1200 powershell.exe Token: SeCreatePagefilePrivilege 1200 powershell.exe Token: SeBackupPrivilege 1200 powershell.exe Token: SeRestorePrivilege 1200 powershell.exe Token: SeShutdownPrivilege 1200 powershell.exe Token: SeDebugPrivilege 1200 powershell.exe Token: SeSystemEnvironmentPrivilege 1200 powershell.exe Token: SeRemoteShutdownPrivilege 1200 powershell.exe Token: SeUndockPrivilege 1200 powershell.exe Token: SeManageVolumePrivilege 1200 powershell.exe Token: 33 1200 powershell.exe Token: 34 1200 powershell.exe Token: 35 1200 powershell.exe Token: SeDebugPrivilege 2988 powershell.exe Token: SeIncreaseQuotaPrivilege 2988 powershell.exe Token: SeSecurityPrivilege 2988 powershell.exe Token: SeTakeOwnershipPrivilege 2988 powershell.exe Token: SeLoadDriverPrivilege 2988 powershell.exe Token: SeSystemProfilePrivilege 2988 powershell.exe Token: SeSystemtimePrivilege 2988 powershell.exe Token: SeProfSingleProcessPrivilege 2988 powershell.exe Token: SeIncBasePriorityPrivilege 2988 powershell.exe Token: SeCreatePagefilePrivilege 2988 powershell.exe Token: SeBackupPrivilege 2988 powershell.exe Token: SeRestorePrivilege 2988 powershell.exe Token: SeShutdownPrivilege 2988 powershell.exe Token: SeDebugPrivilege 2988 powershell.exe Token: SeSystemEnvironmentPrivilege 2988 powershell.exe Token: SeRemoteShutdownPrivilege 2988 powershell.exe Token: SeUndockPrivilege 2988 powershell.exe Token: SeManageVolumePrivilege 2988 powershell.exe Token: 33 2988 powershell.exe Token: 34 2988 powershell.exe Token: 35 2988 powershell.exe Token: SeDebugPrivilege 1636 Vape Crack.exe Token: SeDebugPrivilege 11756 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1636 wrote to memory of 1200 1636 Vape Crack.exe 31 PID 1636 wrote to memory of 1200 1636 Vape Crack.exe 31 PID 1636 wrote to memory of 1200 1636 Vape Crack.exe 31 PID 1636 wrote to memory of 1200 1636 Vape Crack.exe 31 PID 1636 wrote to memory of 2988 1636 Vape Crack.exe 34 PID 1636 wrote to memory of 2988 1636 Vape Crack.exe 34 PID 1636 wrote to memory of 2988 1636 Vape Crack.exe 34 PID 1636 wrote to memory of 2988 1636 Vape Crack.exe 34 PID 1636 wrote to memory of 11756 1636 Vape Crack.exe 36 PID 1636 wrote to memory of 11756 1636 Vape Crack.exe 36 PID 1636 wrote to memory of 11756 1636 Vape Crack.exe 36 PID 1636 wrote to memory of 11756 1636 Vape Crack.exe 36 PID 1636 wrote to memory of 11756 1636 Vape Crack.exe 36 PID 1636 wrote to memory of 11756 1636 Vape Crack.exe 36 PID 1636 wrote to memory of 11756 1636 Vape Crack.exe 36 PID 1636 wrote to memory of 11756 1636 Vape Crack.exe 36 PID 1636 wrote to memory of 11756 1636 Vape Crack.exe 36 PID 1636 wrote to memory of 11756 1636 Vape Crack.exe 36 PID 1636 wrote to memory of 11756 1636 Vape Crack.exe 36 PID 1636 wrote to memory of 11756 1636 Vape Crack.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe"C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe"1⤵
- System Binary Proxy Execution: Regsvcs/Regasm
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.82⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.82⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\RegAsm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:11756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KRC02O6IUKGLZGQQE61M.temp
Filesize7KB
MD517984f44880547c633aaa045d4cc8d28
SHA1018ef977dce56c2b143228f334002a87f7d1bb31
SHA25691349d976beb92ff111f28f378d7853e69287d6bf6a39e4a2444390df715300b
SHA512b7a44e89ccba516be6440992c9c1423f57b50d12d2de681f6eaa166116f070c4c6a735e47e7c45d639dd64a425c93c79d8463f7eeed885c97f8dfc3bdc3bf0d6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5bad4aa35d2377b6a2906fadea728c258
SHA1813663aabd6cd88bdff1958e48b950dea5a19046
SHA25670c07d9167df0163ef649aae6c055c0504eb6dfc77755603cc8440d118aac3e5
SHA51293a102a177a5ecf6b6f58543d712e579505eb231542858dbe078ab46c3c971b11ccf461ea41a0bae8d7efdfb5f2f0e3683eb214dbd889da9ac562c5de383a6fe
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab