Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-01-2025 12:01
General
-
Target
963F526636C53E9ECF5AF8025E0DACA0.exe
-
Size
568KB
-
MD5
963f526636c53e9ecf5af8025e0daca0
-
SHA1
bf41a267e768fca782e6861ba274aac58f79a959
-
SHA256
55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3
-
SHA512
85d347f552ee0f73af7e5f198430c452b4194f73f9313007f4e800e3fc2a9cc07c6c20de7cf81ac6530ff45b35b09b8ae137f01319ed86ceb084329ebff67fa8
-
SSDEEP
12288:UfLYRxA4Y5lyA/BxSPCPU0/iRsFpPQPht0XJ1vzUZdJFk7UQlbd9JU:XR6KRDPht0HgHUvbdX
Malware Config
Extracted
redline
cheat
185.222.57.84:55615
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 5 IoCs
-
Sectoprat family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\963F526636C53E9ECF5AF8025E0DACA0.exe"C:\Users\Admin\AppData\Local\Temp\963F526636C53E9ECF5AF8025E0DACA0.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\963F526636C53E9ECF5AF8025E0DACA0.exe"C:\Users\Admin\AppData\Local\Temp\963F526636C53E9ECF5AF8025E0DACA0.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD56093b9b9effe107a1958b5e8775d196a
SHA1f86ede48007734aebe75f41954ea1ef64924b05e
SHA256a10b04d057393f5974c776ed253909cafcd014752a57da2971ae0dddfa889ab0
SHA5122d9c20a201655ffcce71bfafa71b79fe08eb8aa02b5666588302608f6a14126a5a1f4213a963eb528514e2ea2b17871c4c5f9b5ef89c1940c40c0718ec367a77
-
Filesize
6.9MB
-
Filesize
120KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
6.9MB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
104KB
-
Filesize
392KB
-
Filesize
6.9MB
-
Filesize
592KB
-
Filesize
6.9MB
-
Filesize
4KB