Overview

overview

10

Static

static

3

1e9ff1fc65...c2.exe

windows7-x64

10

1e9ff1fc65...c2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-02-2025 03:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2.exe

  • Size

    1.7MB

  • MD5

    f662cb18e04cc62863751b672570bd7d

  • SHA1

    1630d460c4ca5061d1d10ecdfd9a3c7d85b30896

  • SHA256

    1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2

  • SHA512

    ce51435c8fb272e40c323f03e8bb6dfa92d89c97bf1e26dc960b7cab6642c2e4bc4804660d0adac61e3b77c46bca056f6d53bedabcbeb3be5b6151bf61cee8f4

  • SSDEEP

    24576:+ShI0oE/JeMqdgRvsVsV3/AvUeCgzXw2UT+9E8tftrvOHcLQgrICC1UVAmWy/IW:+STZJPqyhWzXRU6l3rIDUmGhgscIa

Score
10/10
redlinesectopratcheatdefense_evasiondiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

103.84.89.222:33791

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Sectoprat family
    sectoprat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2.exe
    "C:\Users\Admin\AppData\Local\Temp\1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpABF.tmp
    Filesize

    15KB

    MD5

    fd4d8430efc42b0aa984ca2a3bba6d29

    SHA1

    c3eb4f27922dc5ca848cc9f6b01c24df75e73cc9

    SHA256

    950272ce95dc9d3b9f2b9687042c13ffc658bbf6576fa4433978112b61eb130f

    SHA512

    4f6bf29254a689a17f566c1898e8fb134725d7c97665d1f151342dca3fc89827641f39e219a3855ff6c05232103e911916eb74ac9d1bcee28ca3d186b6d789ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpAD3.tmp
    Filesize

    10KB

    MD5

    fe3206d754349ac85fc6d1adc9464118

    SHA1

    ab06d43f396d41565784e2c4232e05194b9f4a1b

    SHA256

    421fdf29a4a600d23e7a94c85ceeb73f4a8c96eb2368d71bca360bae5a0544d4

    SHA512

    e1fcca9e4e2e620006c3345abfa8e8af423d41e050f2b40545fe78800b160877d1d7bc3c8e8d94e577476dd77003d4fef0338b547e6833819cbee5acbde80bda

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB46.tmp
    Filesize

    18KB

    MD5

    6c37a9451a3a4807372c197e726f6bbc

    SHA1

    7d1cd484e2e91a7ad2f46273ffe1578d9f4c5058

    SHA256

    09000bdce04387e613affc87d38367359c7cd692ed5271ee530bd48846164510

    SHA512

    d3b02efac83d260cfeb4fdf6120994dfa2cef94a647f88bcc231f5bd070c51be2671633779b4db73e6cdbc8f7d94b4edd573d6d9dcb0a991f91843e1210387c6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB6A.tmp
    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB8F.tmp
    Filesize

    92KB

    MD5

    5a11d4c52a76804780cbb414b2595bdb

    SHA1

    14c89a2283c41b10ce8f1576404e1541c04a8125

    SHA256

    e1b3260b2607c6a5fcf91575d1de278deceaf4e5f9f0530a3782c6d9567749d8

    SHA512

    0bffe811cbba5278d39e20b66a5c4770e3855d1f5cbd45161e8ad304b78da73f555a3c42a198378efab3dfc81f384fdaefc6cbb893a708c7e2649a89fdd11762

    Download Submit

  • memory/1796-0-0x00000000000F0000-0x0000000000568000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1796-1-0x00000000000F0000-0x0000000000568000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1796-2-0x00000000000F0000-0x0000000000568000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1796-4-0x00000000000F0000-0x0000000000568000-memory.dmp

    Filesize

    4.5MB

    Download