Overview

overview

10

Static

static

3

SAMPLE SPE...NS.exe

windows7-x64

10

SAMPLE SPE...NS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-02-2025 07:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SAMPLE SPECIFICATIONS.exe

  • Size

    878KB

  • MD5

    1467e6f9df8e132f05e73efd99ea883b

  • SHA1

    e48bf156020bfeb00703611ceb90d071ceebc610

  • SHA256

    18464784341f52e95ca20a54611a6ab95acb2da56c902de9c8e823d8f0be800a

  • SHA512

    f457f8139b82567c9da04b6185e7aceb92f3ef024a0616dc796aef22f9890be9022433ed11d062599e8fc2608cac725698923cbaff45bf0382199a1dd64e0a30

  • SSDEEP

    12288:irT5UqCUfsgddlnpKjKAYo0tj4w3FeJsEOcbW5pKGgcrmHKKctPSst3L3:irxroy4sdEVcKGgc1tPX3L

Score
10/10
redlinesectopratcheatdiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

45.137.22.177:55615

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SAMPLE SPECIFICATIONS.exe
    "C:\Users\Admin\AppData\Local\Temp\SAMPLE SPECIFICATIONS.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Users\Admin\AppData\Local\Temp\SAMPLE SPECIFICATIONS.exe
      "C:\Users\Admin\AppData\Local\Temp\SAMPLE SPECIFICATIONS.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SAMPLE SPECIFICATIONS.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpF582.tmp
    Filesize

    40KB

    MD5

    a182561a527f929489bf4b8f74f65cd7

    SHA1

    8cd6866594759711ea1836e86a5b7ca64ee8911f

    SHA256

    42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

    SHA512

    9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpF597.tmp
    Filesize

    114KB

    MD5

    990c8183444f0dbb4f8d643c17b235a9

    SHA1

    7813e3d8ea6355c4c73da5175f96551f8f4fa30f

    SHA256

    f16719e300b80c1283ef68c5980a0b4261f245aa0c832c04b4db7d58ade35f4e

    SHA512

    2cdfee733a78519fbc342f69d829ad8732d07c81cd277c3ba7711223441dd1cc99d466d07d7c332d2f5c654ceaa06c0dff0a1be0bc30c35808b0119e03f111e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpF5B3.tmp
    Filesize

    48KB

    MD5

    349e6eb110e34a08924d92f6b334801d

    SHA1

    bdfb289daff51890cc71697b6322aa4b35ec9169

    SHA256

    c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

    SHA512

    2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpF5B9.tmp
    Filesize

    20KB

    MD5

    49693267e0adbcd119f9f5e02adf3a80

    SHA1

    3ba3d7f89b8ad195ca82c92737e960e1f2b349df

    SHA256

    d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

    SHA512

    b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpF5CE.tmp
    Filesize

    116KB

    MD5

    f70aa3fa04f0536280f872ad17973c3d

    SHA1

    50a7b889329a92de1b272d0ecf5fce87395d3123

    SHA256

    8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

    SHA512

    30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpF5EA.tmp
    Filesize

    96KB

    MD5

    40f3eb83cc9d4cdb0ad82bd5ff2fb824

    SHA1

    d6582ba879235049134fa9a351ca8f0f785d8835

    SHA256

    cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

    SHA512

    cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

    Download Submit

  • memory/1212-25-0x00000000745A0000-0x0000000074D50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1212-21-0x0000000005270000-0x000000000537A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1212-198-0x00000000745A0000-0x0000000074D50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1212-28-0x00000000745A0000-0x0000000074D50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1212-11-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1212-27-0x00000000074B0000-0x00000000074CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1212-26-0x0000000006BE0000-0x0000000006C56000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1212-15-0x00000000745A0000-0x0000000074D50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1212-16-0x0000000005710000-0x0000000005D28000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1212-17-0x0000000004F60000-0x0000000004F72000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1212-18-0x0000000004FC0000-0x0000000004FFC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1212-20-0x00000000745A0000-0x0000000074D50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1212-19-0x0000000005000000-0x000000000504C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1212-24-0x0000000006800000-0x0000000006866000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1212-22-0x0000000006580000-0x0000000006742000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1212-23-0x0000000006C80000-0x00000000071AC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2216-8-0x00000000745A0000-0x0000000074D50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2216-0-0x00000000745AE000-0x00000000745AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2216-14-0x00000000745A0000-0x0000000074D50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2216-7-0x00000000745AE000-0x00000000745AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2216-10-0x0000000006BA0000-0x0000000006C3C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2216-6-0x0000000006FC0000-0x0000000006FDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2216-5-0x00000000745A0000-0x0000000074D50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2216-4-0x0000000005870000-0x000000000587A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2216-3-0x00000000056B0000-0x0000000005742000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2216-2-0x0000000005D10000-0x00000000062B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2216-1-0x0000000000C40000-0x0000000000D20000-memory.dmp

    Filesize

    896KB

    Download

  • memory/2216-9-0x0000000005130000-0x0000000005192000-memory.dmp

    Filesize

    392KB

    Download