Analysis

  • max time kernel
    62s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-11-2020 06:48

General

  • Target

    Acrobat Cracker v.6.3.exe

  • Size

    1.6MB

  • MD5

    41598929a42c3f2bb561cc704ddad70e

  • SHA1

    c60a0243e7e6220daf6890015705cd5b299f4dc2

  • SHA256

    91fb579cf12c337d31c8b753b06352cc334c3720568c2c6ddfe2dc164b5a8b1c

  • SHA512

    2db2086b8bcdf8db2335353fb4c3ce2e5f49a1f3030eca4bfd21d7c87461550b3f28a042ed4e3191530d8285b1368c7e86b13d7f4daaf33bce76d6e24651d1f6

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Acrobat Cracker v.6.3.exe
    "C:\Users\Admin\AppData\Local\Temp\Acrobat Cracker v.6.3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Users\Admin\AppData\Local\Temp\Acrobat Cracker v.6.3.exe
      "C:\Users\Admin\AppData\Local\Temp\Acrobat Cracker v.6.3.exe"
      2⤵
        PID:3304
      • C:\Users\Admin\AppData\Local\Temp\Acrobat Cracker v.6.3.exe
        "C:\Users\Admin\AppData\Local\Temp\Acrobat Cracker v.6.3.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3552
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Local\Temp\Acrobat Cracker v.6.3.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4380
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 3
            4⤵
            • Runs ping.exe
            PID:4504

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Remote System Discovery

    1
    T1018

    Collection

    Data from Local System

    1
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Acrobat Cracker v.6.3.exe.log
      MD5

      9e7845217df4a635ec4341c3d52ed685

      SHA1

      d65cb39d37392975b038ce503a585adadb805da5

      SHA256

      d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b

      SHA512

      307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

    • memory/3552-21-0x00000000071B0000-0x00000000071B1000-memory.dmp
      Filesize

      4KB

    • memory/3552-25-0x0000000006F00000-0x0000000006F01000-memory.dmp
      Filesize

      4KB

    • memory/3552-16-0x0000000005640000-0x0000000005641000-memory.dmp
      Filesize

      4KB

    • memory/3552-28-0x0000000008D30000-0x0000000008D31000-memory.dmp
      Filesize

      4KB

    • memory/3552-17-0x0000000005620000-0x0000000005621000-memory.dmp
      Filesize

      4KB

    • memory/3552-27-0x0000000007990000-0x0000000007991000-memory.dmp
      Filesize

      4KB

    • memory/3552-26-0x0000000007700000-0x0000000007701000-memory.dmp
      Filesize

      4KB

    • memory/3552-18-0x00000000056E0000-0x00000000056E1000-memory.dmp
      Filesize

      4KB

    • memory/3552-10-0x000000000042050E-mapping.dmp
    • memory/3552-12-0x0000000073900000-0x0000000073FEE000-memory.dmp
      Filesize

      6.9MB

    • memory/3552-24-0x0000000006E80000-0x0000000006E81000-memory.dmp
      Filesize

      4KB

    • memory/3552-15-0x0000000005CF0000-0x0000000005CF1000-memory.dmp
      Filesize

      4KB

    • memory/3552-20-0x0000000006AB0000-0x0000000006AB1000-memory.dmp
      Filesize

      4KB

    • memory/3552-19-0x0000000005930000-0x0000000005931000-memory.dmp
      Filesize

      4KB

    • memory/3552-9-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

    • memory/4380-29-0x0000000000000000-mapping.dmp
    • memory/4504-30-0x0000000000000000-mapping.dmp
    • memory/4676-6-0x0000000006A50000-0x0000000006ADD000-memory.dmp
      Filesize

      564KB

    • memory/4676-4-0x0000000004D60000-0x0000000004D61000-memory.dmp
      Filesize

      4KB

    • memory/4676-0-0x0000000073900000-0x0000000073FEE000-memory.dmp
      Filesize

      6.9MB

    • memory/4676-1-0x0000000000310000-0x0000000000311000-memory.dmp
      Filesize

      4KB

    • memory/4676-3-0x0000000005260000-0x0000000005261000-memory.dmp
      Filesize

      4KB

    • memory/4676-8-0x0000000007040000-0x0000000007056000-memory.dmp
      Filesize

      88KB

    • memory/4676-7-0x0000000006FF0000-0x0000000007037000-memory.dmp
      Filesize

      284KB

    • memory/4676-5-0x0000000004E60000-0x0000000004E61000-memory.dmp
      Filesize

      4KB