Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
07-02-2025 15:49
General
-
Target
random.exe
-
Size
1.7MB
-
MD5
4ba31c351d47f114de7ec45ba64ec807
-
SHA1
5314ba39477d0a29c745d8367c1a9bd5d5cae667
-
SHA256
724902ab0936be774ebeb685d0be152e4fc91da28d4f398944fc98011c204d55
-
SHA512
5b16d057b084f88cd612002f10a45cf4d3f114ad668c802ea412c4abad04529f4365e4a52a662186f064b1d8bc3bd005e9e073c15fb8a85b3a1ee14cd2026ed8
-
SSDEEP
24576:UacJzs3Ds96XBY/ELPKnKSqd1wZL+gB4hI7K4mvHP4PTxLc1aoxR9sOhSVas6LoI:UPEtxY1nKSqdusgOXkAawPhAasGo
Malware Config
Extracted
redline
cheat
103.84.89.222:33791
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 2 IoCs
-
Sectoprat family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\random.exe"C:\Users\Admin\AppData\Local\Temp\random.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD56093b9b9effe107a1958b5e8775d196a
SHA1f86ede48007734aebe75f41954ea1ef64924b05e
SHA256a10b04d057393f5974c776ed253909cafcd014752a57da2971ae0dddfa889ab0
SHA5122d9c20a201655ffcce71bfafa71b79fe08eb8aa02b5666588302608f6a14126a5a1f4213a963eb528514e2ea2b17871c4c5f9b5ef89c1940c40c0718ec367a77
-
Filesize
12KB
MD5ed6b9f09ee2e72668614657ff6bbcc01
SHA15d38a405f72a246e876165acc5047e8f606e7565
SHA256bff8c2a287a2c96bbe524acee20c8460042028cb376690f69d95a81279669cf4
SHA5123f747e2000f381d9c451413c17abc832ed534e6b0c14967fc7c016d114e45cf02b6e79ba061c2b8cb7f50f5acf7407cf1b9aee3e1eb08e61beb3e6298adfff40
-
Filesize
20KB
MD5fb52e23fa9329e221c0bdb11712cf409
SHA12609cc56c3010ebe109d73bc36c152abdfc09f47
SHA256531c6aa16358bf7e2934f8b5262f6da80f05f365932f4af054b13f8c3b1b48c4
SHA512d2a5cdf819ba646a0ebfa031fa57adc688ff75019539ec639c9ecddd032eae46cbd8ee96f1a87bad8c5727c84d7b2a49a51599a3645b7c8b086635a1d8b6aa8e
-
Filesize
1.3MB
MD545b6e8442f97fbc2bc607c44b3bad0f9
SHA1c35bc83e2fee4b635356371dc758bac56ed981fa
SHA25695cc6da6e7703c6d3ab71c81532fd07334e759b8effbc3fcf8b0cc331b86a540
SHA512030ed00f3d87f6d809b6650c1ccfd01202a79b063aac59e61d86f1aaf7b9d5afd01d5254e9a4536647507530b4c20197d22c72ee95b9bdeeea5068149dc97810
-
Filesize
670KB
MD5d7fc433a2c06231c62b472b6eb6b9329
SHA11db5c7fd418b0b33891ccf2d27ae92e511e8eaa2
SHA25633e2b288743c5a8e1c552d16365c3a0e94042afb2cfb4e34fce7eb8234beca60
SHA512458c5e716b5c546b71c132a9d153271848af57cedeb15ddb242c48df58674eb00d968c4b10cf10fd5a5ef2d373b0ba263728f0f740240ee30a7b29ca086f0717
-
Filesize
15KB
MD5de71ba3ff309895498be5af9ee9431d3
SHA1127c2b995d290218ccb261d9b1bf25bac0f49416
SHA256bcd2ccac5ba1170d9cc92313a107b9c68aefb495b1dddad7b5d708c7c10b3673
SHA51202cd760019600d8736f91ba2fc5c42ffd4ecd40ed75913c50dfb93f2a25ad8ec2be273957b3ab71dd2570e12432e754a430c31419c5b08e088265438fec41813
-
Filesize
19KB
MD510a252b4d5b8ad139674644074bd9bf3
SHA1c2c5c7062366a86c0ecd836e46cd9db7983ffd43
SHA256ade7a2197460c641eee782358bc23c730fdc2fc38a3875ffe3cefcddf895d0fe
SHA512e21cf02c01a84f1345269e1b555f1522ed5015c9c83ea926c7bedef128c14717592738f3cb5b5fc29994c05b92c180018832b8bafdd56afd9dbebe5511230e39
-
Filesize
16KB
MD5042278a33560ff6750a24d090e70bbdf
SHA134eb7d06426dda545f2efb5f2f3bd0ec2972db56
SHA256548cea52f63d52afec429df55e60dc6dd855ec88ec1922332846fad9f91b32d1
SHA5125783e005f755fbda65bd67fba45ed52356dd574927f8ece6488d777cb470eedd98f3831d418798e679ce207ff12f091b04278b997fcbd761d058ea85026f469d
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB