Overview

overview

10

Static

static

975ddb42a7...85.exe

windows7_x64

10

975ddb42a7...85.exe

windows10_x64

10

Analysis

  • max time kernel
    34s
  • max time network
    121s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    02-12-2020 08:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    975ddb42a7507832e8a8c458054f4285.exe

  • Size

    551KB

  • MD5

    975ddb42a7507832e8a8c458054f4285

  • SHA1

    15c4ac9e60d4aa8355d255bb19ef3dca1148606f

  • SHA256

    d94a672fd4dc3fd14b52c67d37822efd114ed1bbecc49633bbf74509843380a1

  • SHA512

    e1def37cfd4277e741726f92766cd95a526bcb2ae144839cf2343a22d255e3b402419a978d67d957996326092a47cbb55614c3ec088f5566a628a362f57b0536

Score
10/10
redlinediscoveryinfostealerspyware

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\975ddb42a7507832e8a8c458054f4285.exe
    "C:\Users\Admin\AppData\Local\Temp\975ddb42a7507832e8a8c458054f4285.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Users\Admin\AppData\Roaming\gfersesurityd\bestof.exe
      bestof.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1712

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\gfersesurityd\bestof.exe
    MD5

    bd0bcda992939e8c117e758e8ebffc93

    SHA1

    60f5ccb2f8f7859c0a580041d651fe2e6cd1edbe

    SHA256

    a3948163bc436fde2808c4c76fccc90d515f3d754fc5851f0eb1e8b40a539e2b

    SHA512

    1c81bfed10ee288fbb6f8a877ce3f7d64407cfd547e1be02d5789d0a528800ff8fa2fc3f280171a377daa5f013286bb7fb1e13b2cd4261caf2892462cf057f36

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gfersesurityd\bestof.exe
    MD5

    bd0bcda992939e8c117e758e8ebffc93

    SHA1

    60f5ccb2f8f7859c0a580041d651fe2e6cd1edbe

    SHA256

    a3948163bc436fde2808c4c76fccc90d515f3d754fc5851f0eb1e8b40a539e2b

    SHA512

    1c81bfed10ee288fbb6f8a877ce3f7d64407cfd547e1be02d5789d0a528800ff8fa2fc3f280171a377daa5f013286bb7fb1e13b2cd4261caf2892462cf057f36

    Download Submit

  • memory/540-3-0x0000000004E60000-0x0000000004E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/540-2-0x00000000031BB000-0x00000000031BD000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1712-14-0x00000000055F0000-0x00000000055F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-15-0x0000000005040000-0x0000000005041000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-8-0x00000000026A0000-0x00000000026A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-9-0x0000000002A10000-0x0000000002A11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-10-0x0000000072250000-0x000000007293E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1712-11-0x0000000004F10000-0x0000000004F35000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1712-12-0x00000000050F0000-0x00000000050F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-13-0x0000000004F80000-0x0000000004FA3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1712-4-0x0000000000000000-mapping.dmp

    Download

  • memory/1712-7-0x0000000000BC8000-0x0000000000BC9000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-16-0x0000000005080000-0x0000000005081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-17-0x0000000005C00000-0x0000000005C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-18-0x0000000005D70000-0x0000000005D71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-19-0x0000000006A60000-0x0000000006A61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-20-0x0000000006C30000-0x0000000006C31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-21-0x0000000007250000-0x0000000007251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-22-0x0000000007310000-0x0000000007311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-23-0x00000000073A0000-0x00000000073A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-24-0x0000000007710000-0x0000000007711000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-25-0x00000000087F0000-0x00000000087F1000-memory.dmp

    Filesize

    4KB

    Download