Overview

overview

10

Static

static

1

b4283dbd6c...21.exe

windows7-x64

10

b4283dbd6c...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    110s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4283dbd6c0414501d44222fff439edc15f88955179337f2ba8ae5ad70330721.exe

  • Size

    551KB

  • MD5

    da6597ce526d7c6f8e97ed1a8d80d5ac

  • SHA1

    31f7e6632e21ffba5f0dd841823baef2aff8ffdd

  • SHA256

    b4283dbd6c0414501d44222fff439edc15f88955179337f2ba8ae5ad70330721

  • SHA512

    63db4436eaeabac54ad54e9dd99742d6f7a8e2857807eab5a097ed75273b3298b133754e0eaed47854453c2bd1ba423d0d0f9be7e6691e28ab1888a947e4a1cf

  • SSDEEP

    12288:hhQbEeX/zYMIxKzS7no9YB6Hd5fZoyr+oqfk2AqkY:hh0//PIV7ob/oyr+oqT

Score
10/10
redlinesectopratcheatdiscoveryexecutioninfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

45.137.22.248:55615

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Sectoprat family
    sectoprat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4283dbd6c0414501d44222fff439edc15f88955179337f2ba8ae5ad70330721.exe
    "C:\Users\Admin\AppData\Local\Temp\b4283dbd6c0414501d44222fff439edc15f88955179337f2ba8ae5ad70330721.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b4283dbd6c0414501d44222fff439edc15f88955179337f2ba8ae5ad70330721.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2812
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HOjwhlbHdhmAQJ.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2744
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOjwhlbHdhmAQJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF20C.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2328
    • C:\Users\Admin\AppData\Local\Temp\b4283dbd6c0414501d44222fff439edc15f88955179337f2ba8ae5ad70330721.exe
      "C:\Users\Admin\AppData\Local\Temp\b4283dbd6c0414501d44222fff439edc15f88955179337f2ba8ae5ad70330721.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpF20C.tmp
    Filesize

    1KB

    MD5

    6ed3b6f2a93bc16988bf7b2969225602

    SHA1

    81865ce40cf9aaaefe9d4f2fe0030cd981eaeafd

    SHA256

    65aee9c20ee0a75b4a7d113d595368edd41a5e527cf268cf479460fa072d9187

    SHA512

    808392c8d39559ec3ca04c445dd592beb77344c6d72e6d4d7fe4b4e2c752d509dfb904de1f6c25a9917206746e85dfee45a56db165a4bcae4acdb9863b9fc5c3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3UL4ER1ITE08V0TPIC4M.temp
    Filesize

    7KB

    MD5

    f71247036e7c902e70f30e42ce69890f

    SHA1

    ec34c808f7f4f3c1cbc1cbbe9b66a6379e887621

    SHA256

    b59c5d7873fffb996fa3af7fde55c368ac6437aa1167285ee8b2f1cbfc1d8621

    SHA512

    6f7e38ed11e2ac16cedf3fc9d2d56ea732f476c91b9a10d49d66a7135ebb4c004f6ffcfaa20f56c9edab9a4a9cfb1a8a6da7c02aab381a404cc11d3613319e46

    Download Submit

  • memory/2272-4-0x000000007408E000-0x000000007408F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2272-31-0x0000000074080000-0x000000007476E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2272-0-0x000000007408E000-0x000000007408F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2272-5-0x0000000074080000-0x000000007476E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2272-6-0x0000000000600000-0x0000000000660000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2272-2-0x0000000074080000-0x000000007476E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2272-1-0x0000000000D60000-0x0000000000DEC000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2272-3-0x00000000005B0000-0x00000000005CC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2628-28-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2628-25-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2628-23-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2628-21-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2628-19-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2628-30-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2628-29-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2628-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download