Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
31-01-2025 18:00
General
-
Target
random.exe
-
Size
1.7MB
-
MD5
f662cb18e04cc62863751b672570bd7d
-
SHA1
1630d460c4ca5061d1d10ecdfd9a3c7d85b30896
-
SHA256
1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2
-
SHA512
ce51435c8fb272e40c323f03e8bb6dfa92d89c97bf1e26dc960b7cab6642c2e4bc4804660d0adac61e3b77c46bca056f6d53bedabcbeb3be5b6151bf61cee8f4
-
SSDEEP
24576:+ShI0oE/JeMqdgRvsVsV3/AvUeCgzXw2UT+9E8tftrvOHcLQgrICC1UVAmWy/IW:+STZJPqyhWzXRU6l3rIDUmGhgscIa
Malware Config
Extracted
redline
cheat
103.84.89.222:33791
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 2 IoCs
-
Sectoprat family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\random.exe"C:\Users\Admin\AppData\Local\Temp\random.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD539db976c96464ddab1d53ad1e897d267
SHA18d2771bbb8d30a79cdf6c949439a5aaba3b71371
SHA2564622da996d2444b577f2966bf94584dfd080cedd326e1d898b65491a5784ac8f
SHA5122a830d358f34030723d99311f8ee9f513823d246ef499e5219a951bfcd642ce7f13143a1dfeacb6b83244b60a804e22e31222a0a48624f46b5d0a3accfde3c6e
-
Filesize
15KB
MD5b3cda4da60771ddea05940f4d026102e
SHA19c3b873e32b4f692309231bbd1941e72de59c33b
SHA256c89cccfb27e9ab314343ceb9a02939e4649338afaef6de70d9adf360f272c0bc
SHA51260428a3f7a72aa91f4ba7673bbc33721768cd4de1486cd75a2a4df8e2bf365de040bf075a8e9bf3cab09f5ce95b1976350687ece0973b96eee379c73e2184e60
-
Filesize
20KB
MD5ec917b16e01ba3e94f05bb79cd1972af
SHA1c4868d20210b154854f056ed2c75644a94599cb9
SHA25613d80ada57bcf01a689572ea5438fbb000dabfaec1c91f2bb512970791d2f4ba
SHA51217828dfd0ea1d291508107dc16621635a0aceabc6b451431be1e0cafa9f29c6384e66d2c784fa2ffe86e6c22103884cbfc0f5e45ccd7945f4847720c169e704c
-
Filesize
19KB
MD5a128f04a5d4b5f8886bdffe6eb966839
SHA1297544f48a594374fa96efc1420affbe605be05c
SHA2561860f7fac7c0d144bad6c4b8bbbe5ae0e9af6b4352d1804c6cf30c78303b9eff
SHA51238804be36c1e2a8212b66d5ad012bb6b61b4fe4e402afa9eb7436b361a560dc417c7ee28fcf947933172eafeb9dd42892447f55d2e2688d37812a3e61c1c9070
-
Filesize
20KB
MD59e41ad4bc754fbb1ada7ba7a05460cc7
SHA12c38a3fcfad83486612104b42e66db9344f6c0c2
SHA2562731469a44b4c25174c3a0f134e49dfe17a9f569d4d6752a529ac6d09a7b4ccc
SHA5121c072e1f4369b1cbc27261b0b6ece0dad7389316e7f3040aaaeb2f6da1bc7f7d2ec2e925486217a33a1a9b75415a85091ad266b94e149d1d04f00322f931f1f1
-
Filesize
18KB
MD575ba869a97f24152be9c0fe84a1701bb
SHA19b0c77602d0a7a6be8c0e60a078fd90b185107cf
SHA2560511db5da56fa530c34e33c204ba1750492cfac9c80b5ea9131217f990ee4cd8
SHA51200bbb07ec1678c7588cc3fb5a0a7ee3b9fb5dc87242fe21ea2e122bc0b56909b525e5c58eedaf5568abe4aa41bbf3f49f3d14db54c629d63d4a213a6d6423b63
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD5a58d87b023e155c10b4e15fdfc6fcb06
SHA10ee449b782aeac54c0406adde543f19ecd9dfd38
SHA256331b040f0bd7731b64e72a837ad86943379ff02e239c305d200108fe7e3c8c61
SHA5121965574101a71a640efb135a49c4a968fd5feb328779c33936047afb2209424b44fba3a1ccdacee959ce5a016f22b49c8b42dc543476b11f83df0feb1b080eae
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB