Analysis
-
max time kernel
298s -
max time network
298s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01-07-2024 05:09
Static task
static1
Behavioral task
behavioral1
Sample
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe
Resource
win7-20240508-en
General
-
Target
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe
-
Size
1.9MB
-
MD5
5ad5e4f1f3126c5d6cfdbfbbe5597c84
-
SHA1
47b46cbe987e0e33c9d23f4c6cc304d116e5e80f
-
SHA256
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0
-
SHA512
8c58379f3107cc67944d003df964f123848c9e7b55edbda3d256915cbbf666fa62e8878bb0c091c84e0057fe5097fef8e3eb49f2382519dc4a06f31a4c37b163
-
SSDEEP
49152:izPvPgeS5GaqaHrxCTZtEsO/kLMUunFvGA0WyUAD:YfgbNHrxCTkRWunZRyUA
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
stealc
jopa
http://65.21.175.0
-
url_path
/108e010e8f91c38c.php
Extracted
redline
LiveTraffoc
4.185.56.82:42687
Extracted
stealc
ZOV
http://40.86.87.10
-
url_path
/108e010e8f91c38c.php
Extracted
redline
newbuild
185.215.113.67:40960
Extracted
lumma
https://groundsmooors.shop/api
https://potterryisiw.shop/api
https://foodypannyjsud.shop/api
https://contintnetksows.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/852-132-0x0000000000400000-0x0000000000450000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe family_redline C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe family_redline behavioral2/memory/1836-198-0x0000000000370000-0x00000000003C0000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
axplong.exeaxplong.exeaxplong.exee5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exee5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe -
Executes dropped EXE 21 IoCs
Processes:
axplong.exestreamer.exeTpWWMUpe0LEV.exeaxplong.exeFreshbuild.execrypt6.exeHkbsse.exenewlogs.exestealc_zov.exe1.exenewbuild.exerealtekdriver.exerealtekdriver.exeaxplong.exeHkbsse.exeHkbsse.exeaxplong.exeaxplong.exeHkbsse.exeHkbsse.exeaxplong.exepid process 4544 axplong.exe 5044 streamer.exe 4664 TpWWMUpe0LEV.exe 1428 axplong.exe 5024 Freshbuild.exe 4512 crypt6.exe 4856 Hkbsse.exe 2208 newlogs.exe 2712 stealc_zov.exe 4896 1.exe 1836 newbuild.exe 4352 realtekdriver.exe 5480 realtekdriver.exe 5504 axplong.exe 5580 Hkbsse.exe 2888 Hkbsse.exe 168 axplong.exe 4108 axplong.exe 5252 Hkbsse.exe 5560 Hkbsse.exe 5212 axplong.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine axplong.exe -
Loads dropped DLL 1 IoCs
Processes:
TpWWMUpe0LEV.exepid process 4664 TpWWMUpe0LEV.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
realtekdriver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\ScannerService = "C:\\Users\\Admin\\AppData\\Roaming\\ScannerService.exe" realtekdriver.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exepid process 2584 e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe 4544 axplong.exe 1428 axplong.exe 5504 axplong.exe 168 axplong.exe 4108 axplong.exe 5212 axplong.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
TpWWMUpe0LEV.execrypt6.exestreamer.exerealtekdriver.exedescription pid process target process PID 4664 set thread context of 2216 4664 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 4512 set thread context of 852 4512 crypt6.exe RegAsm.exe PID 5044 set thread context of 3056 5044 streamer.exe BitLockerToGo.exe PID 4352 set thread context of 5480 4352 realtekdriver.exe realtekdriver.exe -
Drops file in Windows directory 3 IoCs
Processes:
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeFreshbuild.exerealtekdriver.exedescription ioc process File created C:\Windows\Tasks\axplong.job e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe File created C:\Windows\Tasks\Hkbsse.job Freshbuild.exe File created C:\Windows\Tasks\Test Task17.job realtekdriver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1276 4512 WerFault.exe crypt6.exe 4848 4896 WerFault.exe 1.exe 3844 2216 WerFault.exe aspnet_regiis.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
aspnet_regiis.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 aspnet_regiis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_regiis.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exeaxplong.exeRegAsm.exepowershell.exeaxplong.exeaspnet_regiis.exeaxplong.exeaxplong.exeaxplong.exepid process 2584 e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe 2584 e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe 4544 axplong.exe 4544 axplong.exe 1428 axplong.exe 1428 axplong.exe 852 RegAsm.exe 852 RegAsm.exe 852 RegAsm.exe 3740 powershell.exe 3740 powershell.exe 3740 powershell.exe 5504 axplong.exe 5504 axplong.exe 2216 aspnet_regiis.exe 2216 aspnet_regiis.exe 168 axplong.exe 168 axplong.exe 4108 axplong.exe 4108 axplong.exe 5212 axplong.exe 5212 axplong.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
realtekdriver.exeRegAsm.exepowershell.exedescription pid process Token: SeDebugPrivilege 4352 realtekdriver.exe Token: SeDebugPrivilege 852 RegAsm.exe Token: SeDebugPrivilege 4352 realtekdriver.exe Token: SeDebugPrivilege 3740 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exeTpWWMUpe0LEV.exeFreshbuild.execrypt6.exeHkbsse.exestreamer.exerealtekdriver.exedescription pid process target process PID 2584 wrote to memory of 4544 2584 e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe axplong.exe PID 2584 wrote to memory of 4544 2584 e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe axplong.exe PID 2584 wrote to memory of 4544 2584 e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe axplong.exe PID 4544 wrote to memory of 5044 4544 axplong.exe streamer.exe PID 4544 wrote to memory of 5044 4544 axplong.exe streamer.exe PID 4544 wrote to memory of 4664 4544 axplong.exe TpWWMUpe0LEV.exe PID 4544 wrote to memory of 4664 4544 axplong.exe TpWWMUpe0LEV.exe PID 4544 wrote to memory of 4664 4544 axplong.exe TpWWMUpe0LEV.exe PID 4664 wrote to memory of 2216 4664 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 4664 wrote to memory of 2216 4664 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 4664 wrote to memory of 2216 4664 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 4664 wrote to memory of 2216 4664 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 4664 wrote to memory of 2216 4664 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 4664 wrote to memory of 2216 4664 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 4664 wrote to memory of 2216 4664 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 4664 wrote to memory of 2216 4664 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 4664 wrote to memory of 2216 4664 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 4544 wrote to memory of 5024 4544 axplong.exe Freshbuild.exe PID 4544 wrote to memory of 5024 4544 axplong.exe Freshbuild.exe PID 4544 wrote to memory of 5024 4544 axplong.exe Freshbuild.exe PID 4544 wrote to memory of 4512 4544 axplong.exe crypt6.exe PID 4544 wrote to memory of 4512 4544 axplong.exe crypt6.exe PID 4544 wrote to memory of 4512 4544 axplong.exe crypt6.exe PID 5024 wrote to memory of 4856 5024 Freshbuild.exe Hkbsse.exe PID 5024 wrote to memory of 4856 5024 Freshbuild.exe Hkbsse.exe PID 5024 wrote to memory of 4856 5024 Freshbuild.exe Hkbsse.exe PID 4512 wrote to memory of 3780 4512 crypt6.exe RegAsm.exe PID 4512 wrote to memory of 3780 4512 crypt6.exe RegAsm.exe PID 4512 wrote to memory of 3780 4512 crypt6.exe RegAsm.exe PID 4512 wrote to memory of 852 4512 crypt6.exe RegAsm.exe PID 4512 wrote to memory of 852 4512 crypt6.exe RegAsm.exe PID 4512 wrote to memory of 852 4512 crypt6.exe RegAsm.exe PID 4512 wrote to memory of 852 4512 crypt6.exe RegAsm.exe PID 4512 wrote to memory of 852 4512 crypt6.exe RegAsm.exe PID 4512 wrote to memory of 852 4512 crypt6.exe RegAsm.exe PID 4512 wrote to memory of 852 4512 crypt6.exe RegAsm.exe PID 4512 wrote to memory of 852 4512 crypt6.exe RegAsm.exe PID 4544 wrote to memory of 2208 4544 axplong.exe newlogs.exe PID 4544 wrote to memory of 2208 4544 axplong.exe newlogs.exe PID 4544 wrote to memory of 2208 4544 axplong.exe newlogs.exe PID 4544 wrote to memory of 2712 4544 axplong.exe stealc_zov.exe PID 4544 wrote to memory of 2712 4544 axplong.exe stealc_zov.exe PID 4544 wrote to memory of 2712 4544 axplong.exe stealc_zov.exe PID 4856 wrote to memory of 4896 4856 Hkbsse.exe 1.exe PID 4856 wrote to memory of 4896 4856 Hkbsse.exe 1.exe PID 4856 wrote to memory of 4896 4856 Hkbsse.exe 1.exe PID 4544 wrote to memory of 1836 4544 axplong.exe newbuild.exe PID 4544 wrote to memory of 1836 4544 axplong.exe newbuild.exe PID 4544 wrote to memory of 1836 4544 axplong.exe newbuild.exe PID 4544 wrote to memory of 4352 4544 axplong.exe realtekdriver.exe PID 4544 wrote to memory of 4352 4544 axplong.exe realtekdriver.exe PID 4544 wrote to memory of 4352 4544 axplong.exe realtekdriver.exe PID 5044 wrote to memory of 3056 5044 streamer.exe BitLockerToGo.exe PID 5044 wrote to memory of 3056 5044 streamer.exe BitLockerToGo.exe PID 5044 wrote to memory of 3056 5044 streamer.exe BitLockerToGo.exe PID 5044 wrote to memory of 3056 5044 streamer.exe BitLockerToGo.exe PID 5044 wrote to memory of 3056 5044 streamer.exe BitLockerToGo.exe PID 4352 wrote to memory of 3740 4352 realtekdriver.exe powershell.exe PID 4352 wrote to memory of 3740 4352 realtekdriver.exe powershell.exe PID 4352 wrote to memory of 3740 4352 realtekdriver.exe powershell.exe PID 4352 wrote to memory of 5480 4352 realtekdriver.exe realtekdriver.exe PID 4352 wrote to memory of 5480 4352 realtekdriver.exe realtekdriver.exe PID 4352 wrote to memory of 5480 4352 realtekdriver.exe realtekdriver.exe PID 4352 wrote to memory of 5480 4352 realtekdriver.exe realtekdriver.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe"C:\Users\Admin\AppData\Local\Temp\e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe"C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"4⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 7565⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exe"C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000028001\1.exe"C:\Users\Admin\AppData\Local\Temp\1000028001\1.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 5046⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe"C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 3284⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe"C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe"C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe"C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe"C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAAxADMANQAwADAAMQBcAHIAZQBhAGwAdABlAGsAZAByAGkAdgBlAHIALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAHIAZQBhAGwAdABlAGsAZAByAGkAdgBlAHIALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFMAYwBhAG4AbgBlAHIAUwBlAHIAdgBpAGMAZQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAUwBjAGEAbgBuAGUAcgBTAGUAcgB2AGkAYwBlAC4AZQB4AGUA4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe"C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000028001\1.exeFilesize
240KB
MD5b5b04a1ea6d55d9b62d90de0d89a0199
SHA1567cb7d6182173e4a00356bd7d770c2625cfc0f5
SHA2565c14b695450b36c84924c067f8e38374ca05d814293d26ca2e0d0ac02ec4eaa8
SHA512d398d441e71bf1176a12e8834674d3c19e95c29824ffc718acb4bc114d7318b7bc6d859dd60710062150142afa4336acd8fbb5c5a600465c4799b833cc9bacef
-
C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exeFilesize
6.2MB
MD5b9265c31743db2e9698a08df7b0c5e9d
SHA1aa01367b13f827a5773d0781692809ae175bc718
SHA256b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af
SHA5121678d62ad17ce27394599f2835f3c1f209f544fdfae4c54034e7da06936768fe487a55811d9f0919018113af50153437ea0631968814910db69df0ffda36a133
-
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exeFilesize
1.2MB
MD5242214131486132e33ceda794d66ca1f
SHA14ce34fd91f5c9e35b8694007b286635663ef9bf2
SHA256bac402b5749b2da2211db6d2404c1c621ccd0c2e5d492eb6f973b3e2d38dd361
SHA512031e0904d949cec515f2d6f2b5e4b9c0df03637787ff14f20c58e711c54eec77d1f22aa0cf0f6efd65362c1fc0066645d5d005c6a77fe5b169427cdd42555d29
-
C:\Users\Admin\AppData\Local\Temp\1000115001\build.exeFilesize
26KB
MD5a5ff7cd55cdc3a6ac2b92921e077af48
SHA106b92c48dc2274012cab6f1cc1cb90c37d9bd295
SHA2561668caa20d824d4a448e8847f14e1f57fcb01b3da432b78e95c85c29a833577c
SHA5123dc75cda233b7727726090e9bde331c784b0384afde76b393b90df950cb1f2171d41767c9238c0e32bb455c8c0ed7cb89523b197dbed1ee4bd860e37a4717c09
-
C:\Users\Admin\AppData\Local\Temp\1000116001\FILE1.exeFilesize
26KB
MD572b1f323bf152711ab422044c089a33f
SHA12e1aa28d553e54331d4d90a8dfddcaef7da71f61
SHA2565761dc942ec9b0c00dd9aa179a04c458b9e9fc738d093a376b97a6e199b71833
SHA512429150a8e81d17329bb9823fd8cafb56f2529ac3668d79bed149b6170a74c68b6ea30f4c7dcbbc67821ef2455807e4ff5b2ad4f3e0bc0838950001efac4f67f9
-
C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exeFilesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exeFilesize
512KB
MD5a957dc16d684fbd7e12fc87e8ee12fea
SHA120c73ccfdba13fd9b79c9e02432be39e48e4b37d
SHA256071b6c448d2546dea8caed872fca0d002f59a6b9849f0de2a565fc74b487fa37
SHA512fd6982587fba779d6febb84dfa65ec3e048e17733c2f01b61996bedb170bb4bb1cbb822c0dd2cf44a7e601373abaf499885b13b7957dd2a307bbd8f2120e9b3b
-
C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exeFilesize
297KB
MD50970456d2e2bcb36f49d23f5f2eec4ce
SHA11e427bbeb209b636371d17801b14fabff87921be
SHA256264db4d677606c95912a93a457675d5ebaa24dc886da8bbcb800fe831c540a54
SHA51243c233e6c6fb20ee5830672f68eec2a1930aff6c3da185b7af56ede90970041157755b8893a86336711c8ba8cbe3f22818de8ddc1789ed65a7aacd596771909e
-
C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exeFilesize
158KB
MD5253ccac8a47b80287f651987c0c779ea
SHA111db405849dbaa9b3759de921835df20fab35bc3
SHA256262a400b339deea5089433709ce559d23253e23d23c07595b515755114147e2f
SHA512af40e01bc3d36baf47eba1d5d6406220dfbcc52c6123dd8450e709fed3e72bed82aac6257fa7bdf7dd774f182919a5051e9712b2e7f1329defd0b159cb08385d
-
C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exeFilesize
297KB
MD59ab4de8b2f2b99f009d32aa790cd091b
SHA1a86b16ee4676850bac14c50ee698a39454d0231e
SHA2568a254344702dc6560312a8028e08f844b16804b1fbf4c438c3ca5058d7b65ea1
SHA512a79341ec3407529daa0384de4cac25b665d3b0cb81e52ecada0ebfe37d7616b16da96b47b04f50ce0a6e46d5fced3298a459f78a087c6b6eac4ed444434c5fbe
-
C:\Users\Admin\AppData\Local\Temp\1000135001\realtekdriver.exeFilesize
2.1MB
MD5662404ed188bfab5386fc73a0a7732d4
SHA179ccf9c9015384fe6d7b0245720a2a59a27cebfb
SHA256601c31115b7c8db7e45d8a4386252f8b4a09d49b7d55eb25c9c49932828d718c
SHA512ae90c377177528db849026192e93b0558e0ea5e84953b61e591910c69d2453f5fb73cc431853531bbf6a5c33e2a711620ca6e8e6f061eab7f93f5a8f1caf46d7
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.9MB
MD55ad5e4f1f3126c5d6cfdbfbbe5597c84
SHA147b46cbe987e0e33c9d23f4c6cc304d116e5e80f
SHA256e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0
SHA5128c58379f3107cc67944d003df964f123848c9e7b55edbda3d256915cbbf666fa62e8878bb0c091c84e0057fe5097fef8e3eb49f2382519dc4a06f31a4c37b163
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbfxle2z.2tq.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
\Users\Admin\AppData\Roaming\d3d9.dllFilesize
279KB
MD58fa26f1e37d3ff7f736fc93d520bc8ab
SHA1ad532e1cb4a1b3cd82c7a85647f8f6dd99833bb1
SHA2566c47da8fbd12f22d7272fbf223e054bf5093c0922d0e8fb7d6289a5913c2e45d
SHA5128a0b53cbc3a20e2f0fd41c486b1af1fbbcf7f2fed9f7368b672a07f25faaa2568bbdbcf0841233ac8c473a4d1dee099e90bf6098a6fa15e44b8526efdafc1287
-
memory/168-5422-0x0000000001320000-0x00000000017F8000-memory.dmpFilesize
4.8MB
-
memory/852-145-0x0000000007A50000-0x0000000007B5A000-memory.dmpFilesize
1.0MB
-
memory/852-136-0x00000000061F0000-0x00000000067F6000-memory.dmpFilesize
6.0MB
-
memory/852-151-0x00000000079C0000-0x0000000007A0B000-memory.dmpFilesize
300KB
-
memory/852-150-0x0000000007980000-0x00000000079BE000-memory.dmpFilesize
248KB
-
memory/852-5092-0x0000000008B00000-0x0000000008CC2000-memory.dmpFilesize
1.8MB
-
memory/852-310-0x0000000005CB0000-0x0000000005D16000-memory.dmpFilesize
408KB
-
memory/852-146-0x00000000061C0000-0x00000000061D2000-memory.dmpFilesize
72KB
-
memory/852-1266-0x00000000088E0000-0x0000000008930000-memory.dmpFilesize
320KB
-
memory/852-5093-0x0000000009200000-0x000000000972C000-memory.dmpFilesize
5.2MB
-
memory/852-132-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/852-133-0x00000000052E0000-0x00000000057DE000-memory.dmpFilesize
5.0MB
-
memory/852-134-0x0000000004DE0000-0x0000000004E72000-memory.dmpFilesize
584KB
-
memory/852-135-0x0000000004DA0000-0x0000000004DAA000-memory.dmpFilesize
40KB
-
memory/1428-110-0x0000000001320000-0x00000000017F8000-memory.dmpFilesize
4.8MB
-
memory/1428-84-0x0000000001320000-0x00000000017F8000-memory.dmpFilesize
4.8MB
-
memory/1836-198-0x0000000000370000-0x00000000003C0000-memory.dmpFilesize
320KB
-
memory/2216-72-0x0000000000400000-0x000000000063C000-memory.dmpFilesize
2.2MB
-
memory/2216-68-0x0000000000400000-0x000000000063C000-memory.dmpFilesize
2.2MB
-
memory/2584-5-0x0000000001090000-0x0000000001568000-memory.dmpFilesize
4.8MB
-
memory/2584-13-0x0000000001090000-0x0000000001568000-memory.dmpFilesize
4.8MB
-
memory/2584-3-0x0000000001090000-0x0000000001568000-memory.dmpFilesize
4.8MB
-
memory/2584-2-0x0000000001091000-0x00000000010BF000-memory.dmpFilesize
184KB
-
memory/2584-1-0x0000000077854000-0x0000000077855000-memory.dmpFilesize
4KB
-
memory/2584-0-0x0000000001090000-0x0000000001568000-memory.dmpFilesize
4.8MB
-
memory/2712-164-0x0000000001000000-0x000000000123C000-memory.dmpFilesize
2.2MB
-
memory/2712-5463-0x0000000001000000-0x000000000123C000-memory.dmpFilesize
2.2MB
-
memory/3740-5355-0x0000000009BE0000-0x0000000009BE8000-memory.dmpFilesize
32KB
-
memory/3740-5150-0x000000006BB90000-0x000000006BBDB000-memory.dmpFilesize
300KB
-
memory/3740-5149-0x0000000009940000-0x0000000009973000-memory.dmpFilesize
204KB
-
memory/3740-5151-0x0000000009920000-0x000000000993E000-memory.dmpFilesize
120KB
-
memory/3740-5130-0x0000000008860000-0x00000000088D6000-memory.dmpFilesize
472KB
-
memory/3740-5129-0x0000000008590000-0x00000000085AC000-memory.dmpFilesize
112KB
-
memory/3740-5128-0x0000000008240000-0x0000000008590000-memory.dmpFilesize
3.3MB
-
memory/3740-5127-0x00000000081D0000-0x0000000008236000-memory.dmpFilesize
408KB
-
memory/3740-5126-0x00000000077B0000-0x00000000077D2000-memory.dmpFilesize
136KB
-
memory/3740-5125-0x0000000007940000-0x0000000007F68000-memory.dmpFilesize
6.2MB
-
memory/3740-5123-0x0000000004D40000-0x0000000004D76000-memory.dmpFilesize
216KB
-
memory/3740-5156-0x0000000009A70000-0x0000000009B15000-memory.dmpFilesize
660KB
-
memory/3740-5157-0x0000000009C50000-0x0000000009CE4000-memory.dmpFilesize
592KB
-
memory/3740-5350-0x0000000009BF0000-0x0000000009C0A000-memory.dmpFilesize
104KB
-
memory/4108-5450-0x0000000001320000-0x00000000017F8000-memory.dmpFilesize
4.8MB
-
memory/4352-254-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-252-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-236-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-232-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-230-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-226-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-224-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-244-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-234-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-228-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-223-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-264-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-268-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-278-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-246-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-276-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-274-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-272-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-266-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-262-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-270-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-248-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-5091-0x0000000006E40000-0x0000000006E8C000-memory.dmpFilesize
304KB
-
memory/4352-5090-0x0000000006DE0000-0x0000000006E3A000-memory.dmpFilesize
360KB
-
memory/4352-250-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-242-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-5113-0x0000000007880000-0x00000000078D4000-memory.dmpFilesize
336KB
-
memory/4352-256-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-258-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-260-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-240-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-238-0x00000000068B0000-0x0000000006AC5000-memory.dmpFilesize
2.1MB
-
memory/4352-222-0x00000000068B0000-0x0000000006ACC000-memory.dmpFilesize
2.1MB
-
memory/4352-221-0x0000000005560000-0x000000000577A000-memory.dmpFilesize
2.1MB
-
memory/4352-217-0x0000000000A00000-0x0000000000C26000-memory.dmpFilesize
2.1MB
-
memory/4544-18-0x0000000001320000-0x00000000017F8000-memory.dmpFilesize
4.8MB
-
memory/4544-17-0x0000000001320000-0x00000000017F8000-memory.dmpFilesize
4.8MB
-
memory/4544-218-0x0000000001320000-0x00000000017F8000-memory.dmpFilesize
4.8MB
-
memory/4544-220-0x0000000001320000-0x00000000017F8000-memory.dmpFilesize
4.8MB
-
memory/4544-120-0x0000000001320000-0x00000000017F8000-memory.dmpFilesize
4.8MB
-
memory/4544-47-0x0000000001320000-0x00000000017F8000-memory.dmpFilesize
4.8MB
-
memory/4544-15-0x0000000001320000-0x00000000017F8000-memory.dmpFilesize
4.8MB
-
memory/4544-16-0x0000000001321000-0x000000000134F000-memory.dmpFilesize
184KB
-
memory/4664-61-0x0000000000410000-0x0000000000542000-memory.dmpFilesize
1.2MB
-
memory/5044-219-0x00007FF673AB0000-0x00007FF674146000-memory.dmpFilesize
6.6MB
-
memory/5212-5478-0x0000000001320000-0x00000000017F8000-memory.dmpFilesize
4.8MB
-
memory/5212-5480-0x0000000001320000-0x00000000017F8000-memory.dmpFilesize
4.8MB
-
memory/5504-5393-0x0000000001320000-0x00000000017F8000-memory.dmpFilesize
4.8MB
-
memory/5504-5391-0x0000000001320000-0x00000000017F8000-memory.dmpFilesize
4.8MB