Analysis
-
max time kernel
95s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 10:48
Behavioral task
behavioral1
Sample
PRODUCT LIST.exe
Resource
win7-20240903-en
General
-
Target
PRODUCT LIST.exe
-
Size
1.7MB
-
MD5
a9b805862ccee6848ce91ef51a31f71d
-
SHA1
4ca749b30f879945324811f5924996765aa7d2e4
-
SHA256
9bdef064f9693bbae4a073b09a795c7b27e7486c10b3c7d920019ca3729bb434
-
SHA512
94b6cc887127129a3b51dd68b8d29e417a70e7538668f5bfb4d5e1769d74e2ce44dcef9f36ab6021e04fb1e78f710bcc859163e064d91793e5a3b756fe067d97
-
SSDEEP
24576:DRhMoSwfXo0P9Ej+zE2bb1SfyeeYF2yjfLV/JFzQXYiU4L/E/pWWG8WHHSx44s8/:DgNwfevYoaTerPtsYikWWG8GJ88Y6eb
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Redline family
-
SectopRAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2652-10-0x00000000007F0000-0x0000000000DA4000-memory.dmp family_sectoprat behavioral2/memory/2652-187-0x00000000007F0000-0x0000000000DA4000-memory.dmp family_sectoprat -
Sectoprat family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
PRODUCT LIST.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ PRODUCT LIST.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PRODUCT LIST.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PRODUCT LIST.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PRODUCT LIST.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2652-10-0x00000000007F0000-0x0000000000DA4000-memory.dmp themida behavioral2/memory/2652-187-0x00000000007F0000-0x0000000000DA4000-memory.dmp themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
PRODUCT LIST.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PRODUCT LIST.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
PRODUCT LIST.exepid Process 2652 PRODUCT LIST.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
PRODUCT LIST.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PRODUCT LIST.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
PRODUCT LIST.exepid Process 2652 PRODUCT LIST.exe 2652 PRODUCT LIST.exe 2652 PRODUCT LIST.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PRODUCT LIST.exedescription pid Process Token: SeDebugPrivilege 2652 PRODUCT LIST.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PRODUCT LIST.exe"C:\Users\Admin\AppData\Local\Temp\PRODUCT LIST.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
114KB
MD5d9f3a549453b94ec3a081feb24927cd7
SHA11af72767f6dfd1eaf78b899c3ad911cfa3cd09c8
SHA256ff366f2cf27da8b95912968ac830f2db3823f77c342e73ee45ec335dbc2c1a73
SHA512f48765c257e1539cacce536e4f757e3d06388a6e7e6c7f714c3fce2290ce7cdb5f0e8bb8db740b5899ba8b53e2ed8b47e08b0d043bb8df5a660841dc2c204029
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2