Overview

overview

10

Static

static

3

Crunchyrol...ky.exe

windows7-x64

10

Crunchyrol...ky.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-01-2025 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CrunchyrollCheckerbyxRisky.exe

  • Size

    2.2MB

  • MD5

    c1569f6f8a566286be9c1462a45439f0

  • SHA1

    495666664562a811021e044228917b25a8a9c0b6

  • SHA256

    34c5044ae9b4eaea508f2444a2bdc861b5baef9839950e7f0ac8f478119b7923

  • SHA512

    0fb49a006c99c59bb5b55df40a108bdff3cbe01830af5ce051c61fff1a631ea8fdb8153aa7bb0739415fe97fbf67830c3c3228f901e8b2c9f0c39f2cda1e135f

  • SSDEEP

    49152:gRArNHv39/gvqDZEsLXN4c1ILuo2iue915Y:4uNHvt/lEe0uo21e9

Score
10/10
redlinesectopratultimatecrackpackagilenetdiscoveryexecutioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

redline

Botnet

UltimateCrackPack

C2

51.83.170.23:16128

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Sectoprat family
    sectoprat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Obfuscated with Agile.Net obfuscator 4 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CrunchyrollCheckerbyxRisky.exe
    "C:\Users\Admin\AppData\Local\Temp\CrunchyrollCheckerbyxRisky.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
      "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        3⤵
        • Adds Run key to start application
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2604
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2660
    • C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
      "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
    Filesize

    1.6MB

    MD5

    08b38d8dfed76440354393c3a83a06e2

    SHA1

    28fb407cf185284a3c7e3616e15caa7c03d37ae3

    SHA256

    fd8b6add3cf06c7941cd85cd8741d7e639fced8b4ec2fcb96d58e7bbab334185

    SHA512

    4f7417b3b047f21e9ffe620bf9891a8ea6f46780515ff6d7e558b5bd7f0716797e056afbe44ac68c754fb8551d02d995474b39275d7841ce6cc664c9222120ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Leaf.xNet.dll
    Filesize

    115KB

    MD5

    42cf916df4ea1d300201ec9559b7bef3

    SHA1

    f58abe0ad5f3e033a9dbebcebd02692c5d35936d

    SHA256

    939c8980bcb9bd9a2279714f6086714229e7af194ec4e32677c5a4ed96db5edd

    SHA512

    2d03d21b369b9784329573e8219553f4c6b3cae66515ebe7409154c7457e3cfb95f8dfac5bae57820ade2a5219dd7d10ce34d72ec8971b2fbb7024a5a23cc1ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MetroSuite 2.0.dll
    Filesize

    305KB

    MD5

    0d30a398cec0ff006b6ea2b52d11e744

    SHA1

    4ceebd9c6180a321c4d4f3cfb5cfc3952bf72b45

    SHA256

    8604bf2a1fe2e94dc1ea1fbd0cf54e77303493b93994df48479dc683580aa654

    SHA512

    8e06ff131a81e73b1ff5de78262701a11ecc2bcdaf41011f4e96f11c5372742478e70b6a0901b61953c21c95725532af8d785654405ec5066ad157e2143467cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
    Filesize

    115KB

    MD5

    dc6f230a993249cbe632aea3edbbd63e

    SHA1

    ee67ed14eb647918d0d7ffd11ba7b665eeb19c27

    SHA256

    a6c001e47fd68b6c97fa484c5c98f918eed5d231bd8f1a4e4ad65af20788118b

    SHA512

    7e9b46e5d8e8fa609c839d570cf6cf80c7464de553f094e02b6f86e96dc81ce65a1f5f071acd6fadec9d1f4690f48972d4425a7dc2bb0bab7d0588eae81fa5e2

    Download Submit

  • memory/2660-46-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2660-52-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2660-53-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2660-48-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2660-44-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2660-42-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2660-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2660-51-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2820-0-0x000007FEF5933000-0x000007FEF5934000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-1-0x0000000000F90000-0x00000000011CA000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2876-16-0x0000000000030000-0x0000000000054000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2876-15-0x00000000741FE000-0x00000000741FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2876-40-0x00000000003F0000-0x0000000000412000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2972-17-0x0000000004D00000-0x0000000004E58000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2972-38-0x0000000000400000-0x000000000061B000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2972-35-0x00000000056C0000-0x0000000005714000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2972-31-0x0000000004CC0000-0x0000000004CE4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2972-22-0x0000000004D00000-0x0000000004E52000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2972-24-0x0000000004D00000-0x0000000004E52000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2972-26-0x0000000004D00000-0x0000000004E52000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2972-18-0x0000000001DA0000-0x0000000001EE0000-memory.dmp

    Filesize

    1.2MB

    Download