Analysis
-
max time kernel
74s -
max time network
84s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 13:12
Behavioral task
behavioral1
Sample
CraxsRat v4.9.5.zip
Resource
win10v2004-20241007-en
General
-
Target
CraxsRat v4.9.5.zip
-
Size
202.9MB
-
MD5
7500401b8191aaa4fffd67f8c6bc66c0
-
SHA1
c671f3d06004c09bbc93dfd9cd5e03b1f3b02558
-
SHA256
9a36c8468bb8d00af6a292ab0daa6e70085ca85d0b3d9300570efea167b4a80b
-
SHA512
3d881dd0c37d8a75c113de55ed4091c2c4b147c69ae59eabb1da4d931061a7826adf4b85a5e9548df089bd89998453438c627c6b5a44d58a913670d10f45f585
-
SSDEEP
6291456:L8Dcuk7vb0d6rJLAJ2W9oN7ZiLb74IqGQezH6lr:Lichj0I1TpkzGGlH6t
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/2916-1048-0x0000000001420000-0x0000000001476000-memory.dmp family_redline -
Redline family
-
.NET Reactor proctector 5 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/files/0x0007000000023caa-1030.dat net_reactor behavioral1/files/0x0011000000023ece-1044.dat net_reactor behavioral1/memory/4220-1055-0x0000000000400000-0x00000000034F7000-memory.dmp net_reactor behavioral1/memory/1280-1061-0x0000021F56B70000-0x0000021F59BBC000-memory.dmp net_reactor behavioral1/memory/1012-1073-0x0000000000400000-0x00000000034F7000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation CraxsRat v4.9.5.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation CraxsRat v4.9.5.exe -
Executes dropped EXE 5 IoCs
pid Process 4220 CraxsRat v4.9.5.exe 2916 build.exe 1280 CraxsRat v4.9.5.exe 1012 CraxsRat v4.9.5.exe 4700 CraxsRat v4.9.5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CraxsRat v4.9.5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CraxsRat v4.9.5.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1388 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeRestorePrivilege 1388 7zFM.exe Token: 35 1388 7zFM.exe Token: SeSecurityPrivilege 1388 7zFM.exe Token: SeDebugPrivilege 3476 taskmgr.exe Token: SeSystemProfilePrivilege 3476 taskmgr.exe Token: SeCreateGlobalPrivilege 3476 taskmgr.exe Token: 33 3476 taskmgr.exe Token: SeIncBasePriorityPrivilege 3476 taskmgr.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
pid Process 1388 7zFM.exe 1388 7zFM.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe -
Suspicious use of SendNotifyMessage 43 IoCs
pid Process 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4220 wrote to memory of 2916 4220 CraxsRat v4.9.5.exe 103 PID 4220 wrote to memory of 2916 4220 CraxsRat v4.9.5.exe 103 PID 4220 wrote to memory of 2916 4220 CraxsRat v4.9.5.exe 103 PID 4220 wrote to memory of 1280 4220 CraxsRat v4.9.5.exe 105 PID 4220 wrote to memory of 1280 4220 CraxsRat v4.9.5.exe 105 PID 1012 wrote to memory of 4700 1012 CraxsRat v4.9.5.exe 114 PID 1012 wrote to memory of 4700 1012 CraxsRat v4.9.5.exe 114
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\CraxsRat v4.9.5.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1388
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:452
-
C:\Users\Admin\Desktop\CraxsRat v4.9.5\CraxsRat v4.9.5.exe"C:\Users\Admin\Desktop\CraxsRat v4.9.5\CraxsRat v4.9.5.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916
-
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat v4.9.5.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat v4.9.5.exe"2⤵
- Executes dropped EXE
PID:1280
-
-
C:\Users\Admin\Desktop\CraxsRat v4.9.5\CraxsRat v4.9.5.exe"C:\Users\Admin\Desktop\CraxsRat v4.9.5\CraxsRat v4.9.5.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\CraxsRat v4.9.5.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat v4.9.5.exe"2⤵
- Executes dropped EXE
PID:4700
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48.3MB
MD584578a6017fbddded5db8e86169352a7
SHA1ec3f5bba061491849042f9ec54b56e2dfed0338d
SHA2563dc57a54f55d731d98c80b57822170959f10ad6149d4fb70a29b9d51d8a4a038
SHA51296c7048f4eb7352d70b57825b6b21a3c93fa37ff9c11035a80c7c67b8e3049d381217e9d45c53b23b70461a65079317391e1842a2fd976a01f2cea398d3d577f
-
Filesize
506KB
MD5e5fb57e8214483fd395bd431cb3d1c4b
SHA160e22fc9e0068c8156462f003760efdcac82766b
SHA256e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684
SHA512dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89
-
Filesize
48.9MB
MD5c00d5b368bdbb0b8033abca5f003a476
SHA12b6978fcb7213b71c365bd2121270959e47acc11
SHA2564973837a62302ed15dffaa2fb9582b29ef9cbbec8701823e3736e3e267297f3d
SHA5120b7c411fc5fbeaf7a5db92f719c0462e02c45c8b1286af2248a8bb5136f2882fa2b4f71f1cbd1c1ada8b2bd8d16dcbd026df5f9e3093df55ab87460ff35d65e8