Overview

overview

10

Static

static

3

9451be6a28...58.exe

windows7-x64

10

9451be6a28...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2025 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9451be6a28dc660c832d444f7cc53a58.exe

  • Size

    607KB

  • MD5

    9451be6a28dc660c832d444f7cc53a58

  • SHA1

    077f6a146080489988113104f6b9985c9e806290

  • SHA256

    4ae69707fe39339915373a1ec3adaea49a73a9656c99fe27ecda591049be9d53

  • SHA512

    0ed05ba676db20cea8e7ea5aae10d215cdb7d22ce82dc7e8c7b433833b67896bc816fa4512d08b427f566d4e012384d44e9f2106e4e59287699ef200c8770c51

  • SSDEEP

    12288:4nl1cUoV+I4MVKWE5SXa+1nhCF3pGtBM63blYrw2n5nh8zHB:4nluRgJSt9tD3blYrw8/0HB

Score
10/10
redlinesectopratcheatdiscoveryexecutioninfostealerratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

185.222.57.94:55615

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Sectoprat family
    sectoprat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9451be6a28dc660c832d444f7cc53a58.exe
    "C:\Users\Admin\AppData\Local\Temp\9451be6a28dc660c832d444f7cc53a58.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9451be6a28dc660c832d444f7cc53a58.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2824
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XfCVNRqAnhjg.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XfCVNRqAnhjg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5F4F.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2836
    • C:\Users\Admin\AppData\Local\Temp\9451be6a28dc660c832d444f7cc53a58.exe
      "C:\Users\Admin\AppData\Local\Temp\9451be6a28dc660c832d444f7cc53a58.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5F4F.tmp
    Filesize

    1KB

    MD5

    1c42307a9534ba5297432f7d14eb28ec

    SHA1

    db33d65d7affbbc4bf68408bf84374c487433174

    SHA256

    d6009a7afd6ffde5927f7ebd6e6e85cc4beac03bdfff69005ae244ab85bc780b

    SHA512

    e50330ec6f87f2c6b703617c2dae8edcbe6c5f856964a1936fb1091abfb99825dab9be919ff09df6e292b1e7edce0e9dc3740f709978128201a2c424143b901a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp87CC.tmp
    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp87E1.tmp
    Filesize

    92KB

    MD5

    2cd7a684788f438d7a7ae3946df2e26f

    SHA1

    3e5a60f38395f3c10d9243ba696468d2bb698a14

    SHA256

    2ebed8dd3531958e857c87ddbf46376b8a10ea2f364d2399d9fcc604da0bee1d

    SHA512

    0fec4b36e2173d1ad5eca880e1be1d0c7093d459aeb612d371e4ac92fbeaea55beb36e9228d36d57fe1851bd4d57b26dd5b8edb4620fb17b91441e840669c7d1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    ad16e2a3b1ad62058a211311a740c3aa

    SHA1

    d6d2a910b7371bdfdbdbbaee08649d1a27e8bd71

    SHA256

    c6633ce04c21c5f505608a281200bee72c046edaf8f82e99f4c362834ad77ad3

    SHA512

    f42b056554282934466edd200fd8cf3c5b26deda6ed15ecd6a53a5cba7397f1b121b8259558cc0ad445ca090d62be750ba9405af2ca7cf8cc79989375a9bc0ad

    Download Submit

  • memory/2396-3-0x0000000000980000-0x000000000099C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2396-5-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2396-6-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2396-7-0x0000000004BC0000-0x0000000004C22000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2396-4-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2396-32-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2396-0-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2396-2-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2396-1-0x0000000001090000-0x000000000112E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2656-26-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2656-22-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2656-20-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2656-30-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2656-31-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2656-24-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2656-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2656-29-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download