Overview

overview

10

Static

static

3

random.exe

windows7-x64

10

random.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-02-2025 15:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    random.exe

  • Size

    1.7MB

  • MD5

    4ba31c351d47f114de7ec45ba64ec807

  • SHA1

    5314ba39477d0a29c745d8367c1a9bd5d5cae667

  • SHA256

    724902ab0936be774ebeb685d0be152e4fc91da28d4f398944fc98011c204d55

  • SHA512

    5b16d057b084f88cd612002f10a45cf4d3f114ad668c802ea412c4abad04529f4365e4a52a662186f064b1d8bc3bd005e9e073c15fb8a85b3a1ee14cd2026ed8

  • SSDEEP

    24576:UacJzs3Ds96XBY/ELPKnKSqd1wZL+gB4hI7K4mvHP4PTxLc1aoxR9sOhSVas6LoI:UPEtxY1nKSqdusgOXkAawPhAasGo

Score
10/10
redlinesectopratcheatdefense_evasiondiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

103.84.89.222:33791

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Sectoprat family
    sectoprat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\random.exe
    "C:\Users\Admin\AppData\Local\Temp\random.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1DA.tmp
    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp200.tmp
    Filesize

    92KB

    MD5

    6093b9b9effe107a1958b5e8775d196a

    SHA1

    f86ede48007734aebe75f41954ea1ef64924b05e

    SHA256

    a10b04d057393f5974c776ed253909cafcd014752a57da2971ae0dddfa889ab0

    SHA512

    2d9c20a201655ffcce71bfafa71b79fe08eb8aa02b5666588302608f6a14126a5a1f4213a963eb528514e2ea2b17871c4c5f9b5ef89c1940c40c0718ec367a77

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp9D.tmp
    Filesize

    19KB

    MD5

    7906dcff41b46bbbe5ea72d1a487d708

    SHA1

    8a04818355307f3c9e2d89e10c22deb9412267d1

    SHA256

    38c63fc6dc33e81b0607b1f4b545302d06a7125a6816285063f210dc07b7e4c7

    SHA512

    0cf6548c902e2a60b073e618f68c465dfe700f9bc8c7157c7385ca33e6473569686a46ac00c75f6c0943a7cce62ed4713ef8431e74ad7de41c69d973825cdc1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp9E.tmp
    Filesize

    14KB

    MD5

    c191e37f3d995dc5d2d69a50da2ceea9

    SHA1

    2d3a40d0ede2bb50d7dea5a5f564311515c3c08e

    SHA256

    cf4815c68aa4756bd66a547da69cb3e98bd1bdfc534de325a98a1346dc61e441

    SHA512

    c376236d52d64b08021657551a8f3865de761043967afb723e36805a8d6280306c3a98df665c875d0fd6040e5701c524130260690459202e2068bee9e0a5203a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp9F.tmp
    Filesize

    18KB

    MD5

    26c1154d67cdabaf6e15a3cd702287e3

    SHA1

    3ef613438f5fba54ea2b314b8fdfe6d000b3ab52

    SHA256

    257a8595b7abefc9e99b9379c80e817b8cbe08b345e3ee822932aa0606990c2f

    SHA512

    653fbe2bd613750acaabe3b1914c00f06b928977e1f052369346e7815d8cd5a490e17fa96992a39c39f69fc7e9a2f8aa8cd54117f2154af74b3964753a3e4294

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpFFEA.tmp
    Filesize

    10KB

    MD5

    173d4c422e4ff478f60f439746b1b35d

    SHA1

    df9d122f7222d89f3770b57b2f31b28068140058

    SHA256

    f02a20de3d234181a34d6f7d10b4314bec6e06a2f50e6d4e2ec2be55094e5671

    SHA512

    0e8c0aa9f64266fae654cbb597ec0220dd9478a96b1eea00c9a129f7888ce4b5f45fe55c0462f3f79c4003b5872edb39c8b0475cd620c86a5057dc392b76e1db

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpFFEE.tmp
    Filesize

    18KB

    MD5

    503cea80cc04a0a49f3ffbac791d37bd

    SHA1

    bfb27f7d0a27b830e72c581eae9069277680eba7

    SHA256

    15f2a21e3e7096d9d8dcfe622f453efa3a189975e6fef39edcb8d593534e7ec3

    SHA512

    98e8b4847cf28e2b2e4f0f3763c4acf36ecf96df1cd2f454fbc10af35e0e903fbd6e7a020973cafcc18402a12965c895aff3e7fc072e9e281914c628ed89278e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpFFEF.tmp
    Filesize

    13KB

    MD5

    fc6b2a4c8f2520df9a6539d1cb7ddb24

    SHA1

    ae675153da341e7017d325dead9a56151c0912d3

    SHA256

    99e465302104dd4700661c6ad6750ab0bf3721c58fb2ff15a17fd0bd71cf5486

    SHA512

    7edfc985c71e6d92dc0e2d8d572972fa02abdd3622e46dc7cad6338cc95bcfaaa4fa3cf65f04a835ef8dfe055ec552ae2f8b8c7a6467b2241114e8fc4288487d

    Download Submit

  • memory/2212-0-0x0000000000A50000-0x0000000000ED6000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/2212-1-0x0000000000A50000-0x0000000000ED6000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/2212-2-0x0000000000A50000-0x0000000000ED6000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/2212-4-0x0000000000A50000-0x0000000000ED6000-memory.dmp

    Filesize

    4.5MB

    Download