Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02-11-2020 09:08
General
-
Target
557e20f7eb9ae27ba43e2452a766e465.exe
-
Size
667KB
-
MD5
557e20f7eb9ae27ba43e2452a766e465
-
SHA1
3b6e9753bfbc837e710ae071c342e9d45e325072
-
SHA256
467343e673ecbdd5597b4e4e0b0439dd4ad9b8c00471334d4df0d0e2decabd6d
-
SHA512
794b4e367dc79468b188301061200449419befe3d96e5563a8b2ad0e1beb9173fa380718246f1899e5ade52227a917ce47b16af3246f2bddc9d5cb85e7b4d584
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 57 IoCs
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 13 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\557e20f7eb9ae27ba43e2452a766e465.exe"C:\Users\Admin\AppData\Local\Temp\557e20f7eb9ae27ba43e2452a766e465.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 7562⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 8642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 12082⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 15682⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 15762⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exebestof.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 35⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestofd.exebestofd.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 5323⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 6963⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 12563⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 13083⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 13203⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 12283⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 13563⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 14843⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
b77a1d58626a5d4a77202afbf717accb
SHA11a37bf11e2b75384785d05780fe17fe1167bfbb1
SHA256a0a1952f947eaea5f54da2c343da0dc0ef5cd7bc58fe27f1dbf4e7199e757a13
SHA512d12789afcdf0b6dc4dfd5c944c56466c3305b1f87670a038401e22a27ee8980b11a6039e73c4729c731dfd241fdb84c7c850c6ee2cd04bdfac6d5f5b2c8fff26
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
b77a1d58626a5d4a77202afbf717accb
SHA11a37bf11e2b75384785d05780fe17fe1167bfbb1
SHA256a0a1952f947eaea5f54da2c343da0dc0ef5cd7bc58fe27f1dbf4e7199e757a13
SHA512d12789afcdf0b6dc4dfd5c944c56466c3305b1f87670a038401e22a27ee8980b11a6039e73c4729c731dfd241fdb84c7c850c6ee2cd04bdfac6d5f5b2c8fff26
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestofd.exeMD5
72131adb0e2315281aae445db11e09a2
SHA1712ca2ebaa7d9bc9bbe18f7843954cfb0d22b08e
SHA2569ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65
SHA512bbc68fa0c586aaa7227da59848407672e7629e8f1289384add8638c21bab69d41495bcfc7881446b527e5aa4db14e1babc4f71dfee32b69705e6d3b64bf46a22
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestofd.exeMD5
72131adb0e2315281aae445db11e09a2
SHA1712ca2ebaa7d9bc9bbe18f7843954cfb0d22b08e
SHA2569ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65
SHA512bbc68fa0c586aaa7227da59848407672e7629e8f1289384add8638c21bab69d41495bcfc7881446b527e5aa4db14e1babc4f71dfee32b69705e6d3b64bf46a22
-
memory/1220-72-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB
-
memory/1220-64-0x00000000043B0000-0x00000000043B1000-memory.dmpFilesize
4KB
-
memory/1268-108-0x0000000000000000-mapping.dmp
-
memory/1268-178-0x0000000000000000-mapping.dmp
-
memory/1268-166-0x0000000000000000-mapping.dmp
-
memory/1268-200-0x0000000000000000-mapping.dmp
-
memory/1268-208-0x0000000000000000-mapping.dmp
-
memory/1268-207-0x0000000000000000-mapping.dmp
-
memory/1268-206-0x0000000000000000-mapping.dmp
-
memory/1268-205-0x0000000000000000-mapping.dmp
-
memory/1268-163-0x0000000000000000-mapping.dmp
-
memory/1268-118-0x0000000000000000-mapping.dmp
-
memory/1268-204-0x0000000000000000-mapping.dmp
-
memory/1268-165-0x0000000000000000-mapping.dmp
-
memory/1268-164-0x0000000000000000-mapping.dmp
-
memory/1268-203-0x0000000000000000-mapping.dmp
-
memory/1268-202-0x0000000000000000-mapping.dmp
-
memory/1268-201-0x0000000000000000-mapping.dmp
-
memory/1268-197-0x0000000000000000-mapping.dmp
-
memory/1268-195-0x0000000000000000-mapping.dmp
-
memory/1268-196-0x0000000000000000-mapping.dmp
-
memory/1268-194-0x0000000000000000-mapping.dmp
-
memory/1268-189-0x0000000000000000-mapping.dmp
-
memory/1268-39-0x0000000000000000-mapping.dmp
-
memory/1268-154-0x0000000000000000-mapping.dmp
-
memory/1268-155-0x0000000000000000-mapping.dmp
-
memory/1268-193-0x0000000000000000-mapping.dmp
-
memory/1268-192-0x0000000000000000-mapping.dmp
-
memory/1268-191-0x0000000000000000-mapping.dmp
-
memory/1268-45-0x00000000025D4000-0x00000000025D5000-memory.dmpFilesize
4KB
-
memory/1268-190-0x0000000000000000-mapping.dmp
-
memory/1268-47-0x0000000004240000-0x0000000004241000-memory.dmpFilesize
4KB
-
memory/1268-48-0x0000000004560000-0x0000000004561000-memory.dmpFilesize
4KB
-
memory/1268-49-0x0000000072A00000-0x00000000730EE000-memory.dmpFilesize
6.9MB
-
memory/1268-188-0x0000000000000000-mapping.dmp
-
memory/1268-184-0x0000000000000000-mapping.dmp
-
memory/1268-53-0x0000000000000000-mapping.dmp
-
memory/1268-54-0x0000000000000000-mapping.dmp
-
memory/1268-55-0x0000000000000000-mapping.dmp
-
memory/1268-56-0x0000000000000000-mapping.dmp
-
memory/1268-57-0x0000000000000000-mapping.dmp
-
memory/1268-183-0x0000000000000000-mapping.dmp
-
memory/1268-60-0x0000000000000000-mapping.dmp
-
memory/1268-59-0x0000000000000000-mapping.dmp
-
memory/1268-61-0x0000000000000000-mapping.dmp
-
memory/1268-62-0x0000000000000000-mapping.dmp
-
memory/1268-182-0x0000000000000000-mapping.dmp
-
memory/1268-152-0x0000000000000000-mapping.dmp
-
memory/1268-68-0x0000000000000000-mapping.dmp
-
memory/1268-67-0x0000000000000000-mapping.dmp
-
memory/1268-70-0x0000000000000000-mapping.dmp
-
memory/1268-69-0x0000000000000000-mapping.dmp
-
memory/1268-71-0x0000000000000000-mapping.dmp
-
memory/1268-181-0x0000000000000000-mapping.dmp
-
memory/1268-73-0x0000000000000000-mapping.dmp
-
memory/1268-74-0x0000000000000000-mapping.dmp
-
memory/1268-76-0x0000000000000000-mapping.dmp
-
memory/1268-75-0x0000000000000000-mapping.dmp
-
memory/1268-77-0x00000000040C0000-0x00000000040E4000-memory.dmpFilesize
144KB
-
memory/1268-79-0x0000000004560000-0x0000000004582000-memory.dmpFilesize
136KB
-
memory/1268-180-0x0000000000000000-mapping.dmp
-
memory/1268-116-0x0000000000000000-mapping.dmp
-
memory/1268-179-0x0000000000000000-mapping.dmp
-
memory/1268-170-0x0000000000000000-mapping.dmp
-
memory/1268-177-0x0000000000000000-mapping.dmp
-
memory/1268-176-0x0000000000000000-mapping.dmp
-
memory/1268-96-0x0000000000000000-mapping.dmp
-
memory/1268-95-0x0000000000000000-mapping.dmp
-
memory/1268-97-0x0000000000000000-mapping.dmp
-
memory/1268-98-0x0000000000000000-mapping.dmp
-
memory/1268-99-0x0000000000000000-mapping.dmp
-
memory/1268-100-0x0000000000000000-mapping.dmp
-
memory/1268-101-0x0000000000000000-mapping.dmp
-
memory/1268-150-0x0000000000000000-mapping.dmp
-
memory/1268-103-0x0000000000000000-mapping.dmp
-
memory/1268-105-0x0000000000000000-mapping.dmp
-
memory/1268-106-0x0000000000000000-mapping.dmp
-
memory/1268-169-0x0000000000000000-mapping.dmp
-
memory/1268-107-0x0000000000000000-mapping.dmp
-
memory/1268-109-0x0000000000000000-mapping.dmp
-
memory/1268-174-0x0000000000000000-mapping.dmp
-
memory/1268-149-0x0000000000000000-mapping.dmp
-
memory/1268-114-0x0000000000000000-mapping.dmp
-
memory/1268-115-0x0000000000000000-mapping.dmp
-
memory/1268-146-0x0000000000000000-mapping.dmp
-
memory/1268-173-0x0000000000000000-mapping.dmp
-
memory/1268-148-0x0000000000000000-mapping.dmp
-
memory/1268-117-0x0000000000000000-mapping.dmp
-
memory/1268-119-0x0000000000000000-mapping.dmp
-
memory/1268-120-0x0000000000000000-mapping.dmp
-
memory/1268-121-0x0000000000000000-mapping.dmp
-
memory/1268-147-0x0000000000000000-mapping.dmp
-
memory/1268-123-0x0000000000000000-mapping.dmp
-
memory/1268-124-0x0000000000000000-mapping.dmp
-
memory/1268-125-0x0000000000000000-mapping.dmp
-
memory/1268-127-0x0000000000000000-mapping.dmp
-
memory/1268-126-0x0000000000000000-mapping.dmp
-
memory/1268-128-0x0000000000000000-mapping.dmp
-
memory/1268-129-0x0000000000000000-mapping.dmp
-
memory/1268-130-0x0000000000000000-mapping.dmp
-
memory/1268-172-0x0000000000000000-mapping.dmp
-
memory/1268-134-0x0000000000000000-mapping.dmp
-
memory/1268-135-0x0000000000000000-mapping.dmp
-
memory/1268-136-0x0000000000000000-mapping.dmp
-
memory/1268-137-0x0000000000000000-mapping.dmp
-
memory/1268-138-0x0000000000000000-mapping.dmp
-
memory/1268-139-0x0000000000000000-mapping.dmp
-
memory/1268-141-0x0000000000000000-mapping.dmp
-
memory/1268-140-0x0000000000000000-mapping.dmp
-
memory/1268-143-0x0000000000000000-mapping.dmp
-
memory/1268-142-0x0000000000000000-mapping.dmp
-
memory/1268-171-0x0000000000000000-mapping.dmp
-
memory/1268-145-0x0000000000000000-mapping.dmp
-
memory/1268-113-0x0000000000000000-mapping.dmp
-
memory/2008-29-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/2008-28-0x0000000072A00000-0x00000000730EE000-memory.dmpFilesize
6.9MB
-
memory/2008-25-0x0000000000000000-mapping.dmp
-
memory/2300-175-0x0000000005830000-0x0000000005831000-memory.dmpFilesize
4KB
-
memory/2300-160-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/2756-10-0x0000000004520000-0x0000000004521000-memory.dmpFilesize
4KB
-
memory/2756-13-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/2772-122-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/2772-110-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/2788-2-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/2788-3-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/2788-5-0x0000000004D80000-0x0000000004D81000-memory.dmpFilesize
4KB
-
memory/2940-9-0x00000000055C0000-0x00000000055C1000-memory.dmpFilesize
4KB
-
memory/2940-6-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/3156-199-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/3156-185-0x00000000043B0000-0x00000000043B1000-memory.dmpFilesize
4KB
-
memory/3476-58-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/3476-50-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/3476-51-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/3492-44-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/3492-38-0x00000000057A0000-0x00000000057C2000-memory.dmpFilesize
136KB
-
memory/3492-167-0x0000000008F00000-0x0000000008F01000-memory.dmpFilesize
4KB
-
memory/3492-91-0x00000000074B0000-0x00000000074B1000-memory.dmpFilesize
4KB
-
memory/3492-90-0x0000000007430000-0x0000000007431000-memory.dmpFilesize
4KB
-
memory/3492-89-0x00000000071C0000-0x00000000071C1000-memory.dmpFilesize
4KB
-
memory/3492-85-0x0000000007260000-0x0000000007261000-memory.dmpFilesize
4KB
-
memory/3492-31-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/3492-63-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/3492-104-0x0000000007FF0000-0x0000000007FF1000-memory.dmpFilesize
4KB
-
memory/3492-32-0x000000000040CD2F-mapping.dmp
-
memory/3492-87-0x0000000007960000-0x0000000007961000-memory.dmpFilesize
4KB
-
memory/3492-33-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/3492-46-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/3492-168-0x0000000008FF0000-0x0000000008FF1000-memory.dmpFilesize
4KB
-
memory/3492-43-0x00000000058C0000-0x00000000058C1000-memory.dmpFilesize
4KB
-
memory/3492-42-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/3492-34-0x0000000003270000-0x0000000003271000-memory.dmpFilesize
4KB
-
memory/3492-37-0x0000000005D70000-0x0000000005D71000-memory.dmpFilesize
4KB
-
memory/3492-36-0x0000000003230000-0x0000000003254000-memory.dmpFilesize
144KB
-
memory/3492-35-0x0000000072A00000-0x00000000730EE000-memory.dmpFilesize
6.9MB
-
memory/3620-144-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/3620-131-0x00000000043B0000-0x00000000043B1000-memory.dmpFilesize
4KB
-
memory/3856-198-0x0000000000000000-mapping.dmp
-
memory/3892-209-0x0000000000000000-mapping.dmp
-
memory/3932-18-0x00000000043B0000-0x00000000043B1000-memory.dmpFilesize
4KB
-
memory/3932-24-0x00000000048A0000-0x00000000048A1000-memory.dmpFilesize
4KB
-
memory/3932-23-0x00000000043B0000-0x00000000043B1000-memory.dmpFilesize
4KB
-
memory/3968-1-0x00000000028A0000-0x00000000028A1000-memory.dmpFilesize
4KB
-
memory/3968-0-0x00000000023A3000-0x00000000023A4000-memory.dmpFilesize
4KB
-
memory/3996-92-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/3996-102-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/4040-17-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/4040-14-0x0000000004870000-0x0000000004871000-memory.dmpFilesize
4KB