Analysis

  • max time kernel
    74s
  • max time network
    84s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 13:12

General

  • Target

    CraxsRat v4.9.5.zip

  • Size

    202.9MB

  • MD5

    7500401b8191aaa4fffd67f8c6bc66c0

  • SHA1

    c671f3d06004c09bbc93dfd9cd5e03b1f3b02558

  • SHA256

    9a36c8468bb8d00af6a292ab0daa6e70085ca85d0b3d9300570efea167b4a80b

  • SHA512

    3d881dd0c37d8a75c113de55ed4091c2c4b147c69ae59eabb1da4d931061a7826adf4b85a5e9548df089bd89998453438c627c6b5a44d58a913670d10f45f585

  • SSDEEP

    6291456:L8Dcuk7vb0d6rJLAJ2W9oN7ZiLb74IqGQezH6lr:Lichj0I1TpkzGGlH6t

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Redline family
  • .NET Reactor proctector 5 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 43 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\CraxsRat v4.9.5.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1388
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:452
    • C:\Users\Admin\Desktop\CraxsRat v4.9.5\CraxsRat v4.9.5.exe
      "C:\Users\Admin\Desktop\CraxsRat v4.9.5\CraxsRat v4.9.5.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4220
      • C:\Users\Admin\AppData\Local\Temp\build.exe
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2916
      • C:\Users\Admin\AppData\Local\Temp\CraxsRat v4.9.5.exe
        "C:\Users\Admin\AppData\Local\Temp\CraxsRat v4.9.5.exe"
        2⤵
        • Executes dropped EXE
        PID:1280
    • C:\Users\Admin\Desktop\CraxsRat v4.9.5\CraxsRat v4.9.5.exe
      "C:\Users\Admin\Desktop\CraxsRat v4.9.5\CraxsRat v4.9.5.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Users\Admin\AppData\Local\Temp\CraxsRat v4.9.5.exe
        "C:\Users\Admin\AppData\Local\Temp\CraxsRat v4.9.5.exe"
        2⤵
        • Executes dropped EXE
        PID:4700
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /0
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3476

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\CraxsRat v4.9.5.exe

      Filesize

      48.3MB

      MD5

      84578a6017fbddded5db8e86169352a7

      SHA1

      ec3f5bba061491849042f9ec54b56e2dfed0338d

      SHA256

      3dc57a54f55d731d98c80b57822170959f10ad6149d4fb70a29b9d51d8a4a038

      SHA512

      96c7048f4eb7352d70b57825b6b21a3c93fa37ff9c11035a80c7c67b8e3049d381217e9d45c53b23b70461a65079317391e1842a2fd976a01f2cea398d3d577f

    • C:\Users\Admin\AppData\Local\Temp\build.exe

      Filesize

      506KB

      MD5

      e5fb57e8214483fd395bd431cb3d1c4b

      SHA1

      60e22fc9e0068c8156462f003760efdcac82766b

      SHA256

      e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684

      SHA512

      dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89

    • C:\Users\Admin\Desktop\CraxsRat v4.9.5\CraxsRat v4.9.5.exe

      Filesize

      48.9MB

      MD5

      c00d5b368bdbb0b8033abca5f003a476

      SHA1

      2b6978fcb7213b71c365bd2121270959e47acc11

      SHA256

      4973837a62302ed15dffaa2fb9582b29ef9cbbec8701823e3736e3e267297f3d

      SHA512

      0b7c411fc5fbeaf7a5db92f719c0462e02c45c8b1286af2248a8bb5136f2882fa2b4f71f1cbd1c1ada8b2bd8d16dcbd026df5f9e3093df55ab87460ff35d65e8

    • memory/1012-1073-0x0000000000400000-0x00000000034F7000-memory.dmp

      Filesize

      49.0MB

    • memory/1280-1061-0x0000021F56B70000-0x0000021F59BBC000-memory.dmp

      Filesize

      48.3MB

    • memory/2916-1048-0x0000000001420000-0x0000000001476000-memory.dmp

      Filesize

      344KB

    • memory/2916-1056-0x0000000006040000-0x0000000006658000-memory.dmp

      Filesize

      6.1MB

    • memory/2916-1057-0x0000000005970000-0x0000000005982000-memory.dmp

      Filesize

      72KB

    • memory/2916-1058-0x0000000005B30000-0x0000000005C3A000-memory.dmp

      Filesize

      1.0MB

    • memory/2916-1059-0x00000000059D0000-0x0000000005A0C000-memory.dmp

      Filesize

      240KB

    • memory/2916-1060-0x0000000005A40000-0x0000000005A8C000-memory.dmp

      Filesize

      304KB

    • memory/3476-1082-0x00000221F37B0000-0x00000221F37B1000-memory.dmp

      Filesize

      4KB

    • memory/3476-1075-0x00000221F37B0000-0x00000221F37B1000-memory.dmp

      Filesize

      4KB

    • memory/3476-1076-0x00000221F37B0000-0x00000221F37B1000-memory.dmp

      Filesize

      4KB

    • memory/3476-1077-0x00000221F37B0000-0x00000221F37B1000-memory.dmp

      Filesize

      4KB

    • memory/3476-1087-0x00000221F37B0000-0x00000221F37B1000-memory.dmp

      Filesize

      4KB

    • memory/3476-1086-0x00000221F37B0000-0x00000221F37B1000-memory.dmp

      Filesize

      4KB

    • memory/3476-1085-0x00000221F37B0000-0x00000221F37B1000-memory.dmp

      Filesize

      4KB

    • memory/3476-1084-0x00000221F37B0000-0x00000221F37B1000-memory.dmp

      Filesize

      4KB

    • memory/3476-1083-0x00000221F37B0000-0x00000221F37B1000-memory.dmp

      Filesize

      4KB

    • memory/3476-1081-0x00000221F37B0000-0x00000221F37B1000-memory.dmp

      Filesize

      4KB

    • memory/4220-1055-0x0000000000400000-0x00000000034F7000-memory.dmp

      Filesize

      49.0MB