Overview

overview

10

Static

static

3

xxSMTPxx.rar

windows10-2004-x64

10

xxSMTPxx.rar

windows11-21h2-x64

1

xxSMTPxx/P...xx.exe

windows10-2004-x64

10

xxSMTPxx/P...xx.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1777s
  • max time network
    1795s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-12-2024 12:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xxSMTPxx/Private Cracker/xxSMTPxx.exe

  • Size

    4.6MB

  • MD5

    9088655d2558fc34338e8b06e98cd403

  • SHA1

    cfeb0f3d288ead6c9fd0aaa4e05dd53127696c22

  • SHA256

    3e44ce378be97fc687a392f97abfe6ee0f9e4b1c15d88347668d7c384f7024ac

  • SHA512

    49a8cccf8a8801c946fba88a0e6a68f19443dc5e5e01f9d0d09e6bc9cf9bc41932c939e975d63167adb6e73b62f2235fe3dd07dafbb6220467427eacede268a0

  • SSDEEP

    98304:il9Goe+rmZQHPN6zkioyxx8zhSGw0g61nWYK6wgPI3:ils9+ro+N9DSTmnWYK6wYI

Score
10/10
redlinenonamebootkitdiscoveryevasionexecutioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

noname

C2

148.163.89.57:42212

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\xxSMTPxx\Private Cracker\xxSMTPxx.exe
    "C:\Users\Admin\AppData\Local\Temp\xxSMTPxx\Private Cracker\xxSMTPxx.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypt.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypt.exe
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5472
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypt.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:832
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5632
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5968
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AXIMTR~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AXIMTR~1.EXE
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:6028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    627073ee3ca9676911bee35548eff2b8

    SHA1

    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

    SHA256

    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

    SHA512

    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    1a9fa92a4f2e2ec9e244d43a6a4f8fb9

    SHA1

    9910190edfaccece1dfcc1d92e357772f5dae8f7

    SHA256

    0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

    SHA512

    5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AXIMTR~1.EXE
    Filesize

    4.4MB

    MD5

    b2d1a96a8acfb533024134a5c4a00415

    SHA1

    92b344a2fbba4fa4ab867dbaeba3c665049b58c0

    SHA256

    3302d8e800fd5eedff91f8bd33ec2d2eec39a15a8e6ab6fa66d5e6ca9579a94c

    SHA512

    d6b5983fbfc020c1682a553ba7bb661bcc5f0a66a2357922a5e41b82db3a8eb1499abaa0bae759a52bef70697da35f2ae4b3274f5ce50a1264c6d17072e5a2ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypt.exe
    Filesize

    5.9MB

    MD5

    ce884d815d7f0ae4aacdeea75d719bd4

    SHA1

    8b4909fa0a3a6165939828efcd32cf710100c2f2

    SHA256

    f4b08e6a81b7ff4d6517ce9b0facd78857ff41f4e6a1ef725616cb5341522f82

    SHA512

    f8ec9ba7430b57f9792b434878f1f85ec8c2fb28b0f0ea0e6eed0c35419e6ec3332b86802c4b0c2efd8007b03d0caa20c6d1bf49532932a6659edea7b5d6ad56

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_giscqe3p.o4k.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/832-8-0x00007FFD22C13000-0x00007FFD22C15000-memory.dmp

    Filesize

    8KB

    Download

  • memory/832-11-0x000001FD408B0000-0x000001FD408D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/832-18-0x00007FFD22C10000-0x00007FFD236D2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/832-19-0x00007FFD22C10000-0x00007FFD236D2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/832-20-0x00007FFD22C10000-0x00007FFD236D2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/832-23-0x00007FFD22C10000-0x00007FFD236D2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/832-24-0x00007FFD22C10000-0x00007FFD236D2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5472-7-0x0000017E475A0000-0x0000017E475B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5968-25-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/5968-39-0x0000000005690000-0x0000000005C36000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5968-41-0x00000000050E0000-0x0000000005172000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5968-43-0x0000000005090000-0x000000000509A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5968-44-0x0000000006260000-0x0000000006878000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5968-45-0x0000000005510000-0x000000000561A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5968-46-0x0000000005310000-0x0000000005322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5968-47-0x0000000005370000-0x00000000053AC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5968-48-0x00000000053C0000-0x000000000540C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/6028-97-0x000000000D660000-0x000000000D78D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/6028-89-0x000000000A100000-0x000000000A118000-memory.dmp

    Filesize

    96KB

    Download

  • memory/6028-52-0x0000000005630000-0x0000000005792000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/6028-50-0x00000000050E0000-0x0000000005454000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/6028-55-0x0000000005980000-0x0000000005A2E000-memory.dmp

    Filesize

    696KB

    Download

  • memory/6028-54-0x0000000005950000-0x0000000005979000-memory.dmp

    Filesize

    164KB

    Download

  • memory/6028-53-0x00000000057A0000-0x000000000594C000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/6028-60-0x00000000064C0000-0x0000000006527000-memory.dmp

    Filesize

    412KB

    Download

  • memory/6028-65-0x0000000006A70000-0x0000000006C23000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/6028-66-0x0000000006C30000-0x0000000006D50000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/6028-71-0x0000000007070000-0x000000000710E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/6028-76-0x0000000008EB0000-0x0000000008EC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/6028-78-0x0000000009980000-0x0000000009AE6000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/6028-85-0x000000000A0A0000-0x000000000A0BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/6028-49-0x0000000004F00000-0x0000000004FBD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/6028-99-0x000000000B8C0000-0x000000000B9F2000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/6028-98-0x000000000A3A0000-0x000000000A54E000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/6028-96-0x000000000D420000-0x000000000D4CE000-memory.dmp

    Filesize

    696KB

    Download

  • memory/6028-82-0x0000000009FC0000-0x000000000A06C000-memory.dmp

    Filesize

    688KB

    Download

  • memory/6028-95-0x000000000BC80000-0x000000000BC8D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/6028-94-0x000000000B890000-0x000000000B8B4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/6028-93-0x000000000B660000-0x000000000B77E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/6028-92-0x000000000B640000-0x000000000B65F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/6028-91-0x000000000B430000-0x000000000B43C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/6028-90-0x000000000B3F0000-0x000000000B425000-memory.dmp

    Filesize

    212KB

    Download

  • memory/6028-51-0x0000000004B90000-0x0000000004BFF000-memory.dmp

    Filesize

    444KB

    Download

  • memory/6028-88-0x000000000A0C0000-0x000000000A0CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/6028-87-0x000000000A220000-0x000000000A287000-memory.dmp

    Filesize

    412KB

    Download

  • memory/6028-86-0x000000000A130000-0x000000000A217000-memory.dmp

    Filesize

    924KB

    Download

  • memory/6028-84-0x000000000A080000-0x000000000A099000-memory.dmp

    Filesize

    100KB

    Download

  • memory/6028-83-0x000000000A070000-0x000000000A079000-memory.dmp

    Filesize

    36KB

    Download

  • memory/6028-81-0x0000000009F40000-0x0000000009FBF000-memory.dmp

    Filesize

    508KB

    Download

  • memory/6028-80-0x0000000009F20000-0x0000000009F38000-memory.dmp

    Filesize

    96KB

    Download

  • memory/6028-79-0x0000000009AF0000-0x0000000009BDA000-memory.dmp

    Filesize

    936KB

    Download

  • memory/6028-77-0x0000000009110000-0x0000000009977000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/6028-75-0x0000000007770000-0x00000000077A1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/6028-74-0x0000000007530000-0x0000000007561000-memory.dmp

    Filesize

    196KB

    Download

  • memory/6028-73-0x00000000071B0000-0x0000000007528000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/6028-70-0x0000000006FC0000-0x0000000007063000-memory.dmp

    Filesize

    652KB

    Download

  • memory/6028-69-0x0000000006EA0000-0x0000000006FB2000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/6028-68-0x0000000006E70000-0x0000000006E96000-memory.dmp

    Filesize

    152KB

    Download

  • memory/6028-72-0x0000000007110000-0x00000000071AD000-memory.dmp

    Filesize

    628KB

    Download

  • memory/6028-67-0x0000000006D50000-0x0000000006E61000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/6028-56-0x0000000005A30000-0x00000000061DE000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/6028-64-0x0000000006840000-0x0000000006A61000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/6028-63-0x0000000006810000-0x0000000006837000-memory.dmp

    Filesize

    156KB

    Download

  • memory/6028-61-0x0000000006530000-0x00000000067D5000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/6028-59-0x0000000006460000-0x00000000064BD000-memory.dmp

    Filesize

    372KB

    Download

  • memory/6028-62-0x00000000067E0000-0x000000000680D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/6028-58-0x0000000006380000-0x0000000006456000-memory.dmp

    Filesize

    856KB

    Download

  • memory/6028-57-0x00000000061E0000-0x000000000637A000-memory.dmp

    Filesize

    1.6MB

    Download