Analysis
-
max time kernel
36s -
max time network
36s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
02-11-2020 09:10
Static task
static1
Behavioral task
behavioral1
Sample
cfa3fbe4fcd80eabc714b98b532bcb21.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
cfa3fbe4fcd80eabc714b98b532bcb21.exe
Resource
win10v20201028
General
-
Target
cfa3fbe4fcd80eabc714b98b532bcb21.exe
-
Size
667KB
-
MD5
cfa3fbe4fcd80eabc714b98b532bcb21
-
SHA1
730fdcea25571f6a2ba16361a534b167d47da56b
-
SHA256
d740674533d5c0fb220dceec7eb0d440a1f01231a728030b355361b9f0aeff77
-
SHA512
74f1b86bfd89daac5568e3f43c8adb1f0e96dad09897a59d5ce6b7ac884b05f9f9a5987803bb8645b7275634b25d073a7c88053561a661df5f95ad9a15e007a5
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/328-18-0x00000000005D0000-0x00000000005F4000-memory.dmp family_redline behavioral1/memory/328-19-0x0000000000810000-0x0000000000832000-memory.dmp family_redline behavioral1/memory/1120-24-0x0000000003EC0000-0x0000000003EE4000-memory.dmp family_redline behavioral1/memory/1120-25-0x0000000003F50000-0x0000000003F72000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
Processes:
bestof.exebestofd.exepid process 1420 bestof.exe 1120 bestofd.exe -
Loads dropped DLL 2 IoCs
Processes:
cfa3fbe4fcd80eabc714b98b532bcb21.exepid process 1764 cfa3fbe4fcd80eabc714b98b532bcb21.exe 1764 cfa3fbe4fcd80eabc714b98b532bcb21.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com 18 checkip.amazonaws.com 19 checkip.amazonaws.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bestof.exedescription pid process target process PID 1420 set thread context of 328 1420 bestof.exe AddInProcess32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cfa3fbe4fcd80eabc714b98b532bcb21.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cfa3fbe4fcd80eabc714b98b532bcb21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cfa3fbe4fcd80eabc714b98b532bcb21.exe -
Processes:
cfa3fbe4fcd80eabc714b98b532bcb21.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 cfa3fbe4fcd80eabc714b98b532bcb21.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 cfa3fbe4fcd80eabc714b98b532bcb21.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
AddInProcess32.exebestofd.exepid process 328 AddInProcess32.exe 1120 bestofd.exe 1120 bestofd.exe 328 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
bestof.exebestofd.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 1420 bestof.exe Token: SeDebugPrivilege 1120 bestofd.exe Token: SeDebugPrivilege 328 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
cfa3fbe4fcd80eabc714b98b532bcb21.exebestof.exebestofd.execmd.exeAddInProcess32.execmd.exedescription pid process target process PID 1764 wrote to memory of 1420 1764 cfa3fbe4fcd80eabc714b98b532bcb21.exe bestof.exe PID 1764 wrote to memory of 1420 1764 cfa3fbe4fcd80eabc714b98b532bcb21.exe bestof.exe PID 1764 wrote to memory of 1420 1764 cfa3fbe4fcd80eabc714b98b532bcb21.exe bestof.exe PID 1764 wrote to memory of 1420 1764 cfa3fbe4fcd80eabc714b98b532bcb21.exe bestof.exe PID 1764 wrote to memory of 1120 1764 cfa3fbe4fcd80eabc714b98b532bcb21.exe bestofd.exe PID 1764 wrote to memory of 1120 1764 cfa3fbe4fcd80eabc714b98b532bcb21.exe bestofd.exe PID 1764 wrote to memory of 1120 1764 cfa3fbe4fcd80eabc714b98b532bcb21.exe bestofd.exe PID 1764 wrote to memory of 1120 1764 cfa3fbe4fcd80eabc714b98b532bcb21.exe bestofd.exe PID 1420 wrote to memory of 828 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 828 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 828 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 828 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 884 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 884 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 884 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 884 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 328 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 328 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 328 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 328 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 328 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 328 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 328 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 328 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 328 1420 bestof.exe AddInProcess32.exe PID 1420 wrote to memory of 328 1420 bestof.exe AddInProcess32.exe PID 1120 wrote to memory of 920 1120 bestofd.exe cmd.exe PID 1120 wrote to memory of 920 1120 bestofd.exe cmd.exe PID 1120 wrote to memory of 920 1120 bestofd.exe cmd.exe PID 1120 wrote to memory of 920 1120 bestofd.exe cmd.exe PID 920 wrote to memory of 1456 920 cmd.exe PING.EXE PID 920 wrote to memory of 1456 920 cmd.exe PING.EXE PID 920 wrote to memory of 1456 920 cmd.exe PING.EXE PID 920 wrote to memory of 1456 920 cmd.exe PING.EXE PID 328 wrote to memory of 612 328 AddInProcess32.exe cmd.exe PID 328 wrote to memory of 612 328 AddInProcess32.exe cmd.exe PID 328 wrote to memory of 612 328 AddInProcess32.exe cmd.exe PID 328 wrote to memory of 612 328 AddInProcess32.exe cmd.exe PID 612 wrote to memory of 780 612 cmd.exe PING.EXE PID 612 wrote to memory of 780 612 cmd.exe PING.EXE PID 612 wrote to memory of 780 612 cmd.exe PING.EXE PID 612 wrote to memory of 780 612 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfa3fbe4fcd80eabc714b98b532bcb21.exe"C:\Users\Admin\AppData\Local\Temp\cfa3fbe4fcd80eabc714b98b532bcb21.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exebestof.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 35⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestofd.exebestofd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
b77a1d58626a5d4a77202afbf717accb
SHA11a37bf11e2b75384785d05780fe17fe1167bfbb1
SHA256a0a1952f947eaea5f54da2c343da0dc0ef5cd7bc58fe27f1dbf4e7199e757a13
SHA512d12789afcdf0b6dc4dfd5c944c56466c3305b1f87670a038401e22a27ee8980b11a6039e73c4729c731dfd241fdb84c7c850c6ee2cd04bdfac6d5f5b2c8fff26
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
b77a1d58626a5d4a77202afbf717accb
SHA11a37bf11e2b75384785d05780fe17fe1167bfbb1
SHA256a0a1952f947eaea5f54da2c343da0dc0ef5cd7bc58fe27f1dbf4e7199e757a13
SHA512d12789afcdf0b6dc4dfd5c944c56466c3305b1f87670a038401e22a27ee8980b11a6039e73c4729c731dfd241fdb84c7c850c6ee2cd04bdfac6d5f5b2c8fff26
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestofd.exeMD5
72131adb0e2315281aae445db11e09a2
SHA1712ca2ebaa7d9bc9bbe18f7843954cfb0d22b08e
SHA2569ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65
SHA512bbc68fa0c586aaa7227da59848407672e7629e8f1289384add8638c21bab69d41495bcfc7881446b527e5aa4db14e1babc4f71dfee32b69705e6d3b64bf46a22
-
\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
b77a1d58626a5d4a77202afbf717accb
SHA11a37bf11e2b75384785d05780fe17fe1167bfbb1
SHA256a0a1952f947eaea5f54da2c343da0dc0ef5cd7bc58fe27f1dbf4e7199e757a13
SHA512d12789afcdf0b6dc4dfd5c944c56466c3305b1f87670a038401e22a27ee8980b11a6039e73c4729c731dfd241fdb84c7c850c6ee2cd04bdfac6d5f5b2c8fff26
-
\Users\Admin\AppData\Roaming\gfersesurity\bestofd.exeMD5
72131adb0e2315281aae445db11e09a2
SHA1712ca2ebaa7d9bc9bbe18f7843954cfb0d22b08e
SHA2569ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65
SHA512bbc68fa0c586aaa7227da59848407672e7629e8f1289384add8638c21bab69d41495bcfc7881446b527e5aa4db14e1babc4f71dfee32b69705e6d3b64bf46a22
-
memory/328-16-0x0000000000A40000-0x0000000000A51000-memory.dmpFilesize
68KB
-
memory/328-19-0x0000000000810000-0x0000000000832000-memory.dmpFilesize
136KB
-
memory/328-18-0x00000000005D0000-0x00000000005F4000-memory.dmpFilesize
144KB
-
memory/328-17-0x00000000746A0000-0x0000000074D8E000-memory.dmpFilesize
6.9MB
-
memory/328-13-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/328-14-0x000000000040CD2F-mapping.dmp
-
memory/328-15-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/612-28-0x0000000000000000-mapping.dmp
-
memory/780-29-0x0000000000000000-mapping.dmp
-
memory/920-26-0x0000000000000000-mapping.dmp
-
memory/1120-22-0x0000000003D80000-0x0000000003D91000-memory.dmpFilesize
68KB
-
memory/1120-23-0x00000000746A0000-0x0000000074D8E000-memory.dmpFilesize
6.9MB
-
memory/1120-25-0x0000000003F50000-0x0000000003F72000-memory.dmpFilesize
136KB
-
memory/1120-24-0x0000000003EC0000-0x0000000003EE4000-memory.dmpFilesize
144KB
-
memory/1120-20-0x00000000023E9000-0x00000000023EA000-memory.dmpFilesize
4KB
-
memory/1120-21-0x0000000003D80000-0x0000000003D91000-memory.dmpFilesize
68KB
-
memory/1120-11-0x0000000000000000-mapping.dmp
-
memory/1304-2-0x000007FEF7F80000-0x000007FEF81FA000-memory.dmpFilesize
2.5MB
-
memory/1420-7-0x00000000746A0000-0x0000000074D8E000-memory.dmpFilesize
6.9MB
-
memory/1420-8-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1420-4-0x0000000000000000-mapping.dmp
-
memory/1456-27-0x0000000000000000-mapping.dmp
-
memory/1764-0-0x0000000002454000-0x0000000002465000-memory.dmpFilesize
68KB
-
memory/1764-1-0x0000000002730000-0x0000000002741000-memory.dmpFilesize
68KB