Overview

overview

10

Static

static

3

2d8a45f0de...27.exe

windows10-2004-x64

10

Resubmissions

31/03/2025, 15:30

250331-sxt73ssxft 10

24/03/2025, 20:16

250324-y2lz6avydy 10

Analysis

  • max time kernel
    50s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/03/2025, 20:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d8a45f0de92aeb5fc5495c2df0072a00e4d2215b0b2c1ccfd1580d752e32f27.exe

  • Size

    590KB

  • MD5

    41ece00a8f6eb23dc9b2c4e839264896

  • SHA1

    019af05aedb454d15f193713fef31524cfab6e6d

  • SHA256

    2d8a45f0de92aeb5fc5495c2df0072a00e4d2215b0b2c1ccfd1580d752e32f27

  • SHA512

    6575ec2bee5e4389050b115dfdc7c0d4cae780fdd5d24478981b0c4caa79c31751be6d3ce7655fd6ca5769fcebad90072c31971d0f697ca924ba431951bf7290

  • SSDEEP

    12288:WQAvPbfo3cZiJDYH3T2iOltmr7VUdNsf3z6mvNg8tytefqLTf1:OvPbxZ6DOFo0rebsP7vNg9teyTd

Score
10/10
redlinesectopratcheatdiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

185.222.57.71:55615

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d8a45f0de92aeb5fc5495c2df0072a00e4d2215b0b2c1ccfd1580d752e32f27.exe
    "C:\Users\Admin\AppData\Local\Temp\2d8a45f0de92aeb5fc5495c2df0072a00e4d2215b0b2c1ccfd1580d752e32f27.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Users\Admin\AppData\Local\Temp\2d8a45f0de92aeb5fc5495c2df0072a00e4d2215b0b2c1ccfd1580d752e32f27.exe
      "C:\Users\Admin\AppData\Local\Temp\2d8a45f0de92aeb5fc5495c2df0072a00e4d2215b0b2c1ccfd1580d752e32f27.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5028
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:8
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\PingSwitch.hta
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Opens file in notepad (likely ransom note)
      PID:1972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2d8a45f0de92aeb5fc5495c2df0072a00e4d2215b0b2c1ccfd1580d752e32f27.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB8D1.tmp
    Filesize

    40KB

    MD5

    dfd4f60adc85fc874327517efed62ff7

    SHA1

    f97489afb75bfd5ee52892f37383fbc85aa14a69

    SHA256

    c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

    SHA512

    d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB8E7.tmp
    Filesize

    130KB

    MD5

    9dfb6477b5b97cc1b9b59dc836c4206b

    SHA1

    e94c07519330116066108c03594a101825918513

    SHA256

    cdf368239284da01a9e8cf132ba52e952ff10d46f8cba56bf305eadce267921f

    SHA512

    5b735d8566719c65303de40715c39881fb16457d5fba3be5333a4f8d576dfcda7a7a70caec4103a538e4f5ea052e64c5a6f0891a45777b7eed7a483b50935c72

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB922.tmp
    Filesize

    56KB

    MD5

    1c832d859b03f2e59817374006fe1189

    SHA1

    a4994a54e9f46a6c86ff92280c6dabe2bcd4cc42

    SHA256

    bb923abf471bb79086ff9ace293602e1ad882d9af7946dda17ff1c3a7e19f45b

    SHA512

    c4d3be414fa5dd30151cde9f6d808d56c26b031ff3f6446d21a15d071053787b6ba337b12909a56af7bb420f858dba5213f08e64ca9f836f52c98a18762b4bef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB937.tmp
    Filesize

    228KB

    MD5

    ee463e048e56b687d02521cd12788e2c

    SHA1

    ee26598f8e8643df84711960e66a20ecbc6321b8

    SHA256

    3a07b3003758a79a574aa73032076567870389751f2a959537257070da3a10d8

    SHA512

    42b395bf6bd97da800385b9296b63a4b0edd7b3b50dc92f19e61a89235a42d37d204359b57d506e6b25ab95f16625cce035ed3b55ef2d54951c82332498dab0f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB953.tmp
    Filesize

    96KB

    MD5

    6066c07e98c96795ecd876aa92fe10f8

    SHA1

    f73cbd7b307c53aaae38677d6513b1baa729ac9f

    SHA256

    33a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53

    SHA512

    7d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7

    Download Submit

  • memory/1976-8-0x0000000074C60000-0x0000000075410000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1976-4-0x0000000004FC0000-0x0000000004FCA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1976-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1976-9-0x0000000006180000-0x00000000061E2000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1976-10-0x00000000062E0000-0x000000000637C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1976-1-0x0000000000490000-0x0000000000528000-memory.dmp

    Filesize

    608KB

    Download

  • memory/1976-6-0x0000000005550000-0x0000000005560000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1976-14-0x0000000074C60000-0x0000000075410000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1976-2-0x00000000055B0000-0x0000000005B54000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1976-3-0x0000000004EF0000-0x0000000004F82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1976-7-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1976-5-0x0000000074C60000-0x0000000075410000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5028-15-0x0000000005660000-0x0000000005C78000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5028-16-0x0000000074C60000-0x0000000075410000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5028-21-0x00000000054E0000-0x00000000055EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5028-22-0x0000000006900000-0x0000000006AC2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/5028-23-0x0000000007000000-0x000000000752C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/5028-24-0x0000000006AD0000-0x0000000006B36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5028-19-0x0000000074C60000-0x0000000075410000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5028-18-0x0000000005240000-0x000000000527C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5028-20-0x0000000005280000-0x00000000052CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5028-17-0x00000000051E0000-0x00000000051F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5028-11-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/5028-158-0x0000000006DA0000-0x0000000006E16000-memory.dmp

    Filesize

    472KB

    Download

  • memory/5028-159-0x0000000007650000-0x000000000766E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/5028-175-0x0000000074C60000-0x0000000075410000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5028-176-0x0000000074C60000-0x0000000075410000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5028-177-0x0000000074C60000-0x0000000075410000-memory.dmp

    Filesize

    7.7MB

    Download