Overview

overview

10

Static

static

8

2b5aae460b...06.exe

windows7_x64

10

2b5aae460b...06.exe

windows10_x64

10

Analysis

  • max time kernel
    28s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    24-12-2020 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b5aae460b5f2c2f3457f2dfd611f406.exe

  • Size

    689KB

  • MD5

    2b5aae460b5f2c2f3457f2dfd611f406

  • SHA1

    8e05e84c77b4e15a3074428137a6fb51d731fd88

  • SHA256

    38c800c0a1e910c13c99b52e67e13166e5ba08eb8e3d8d6813040c2cf557a041

  • SHA512

    77bab5a36742fdc3014e9896ef0d1952975ec7446054002f784ce7f63b0c02f61ee191d14d96fd16527dd86e552993e2b84558dcc724392382428d8fd8edfdda

Score
10/10
redlinediscoveryinfostealerspywareupx

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b5aae460b5f2c2f3457f2dfd611f406.exe
    "C:\Users\Admin\AppData\Local\Temp\2b5aae460b5f2c2f3457f2dfd611f406.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Users\Admin\AppData\Roaming\leadentop\bestof.exe
      bestof.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 3
          4⤵
          • Runs ping.exe
          PID:584

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\leadentop\bestof.exe
    MD5

    e8cf0e1662dbf0059e06baa644cfe52c

    SHA1

    8b278efbe3666da07725a7dfd512c7aa9e12379b

    SHA256

    13b4456c19c9552d5986582cb97c22888d70f93b88d4f7445ad1c126ef27f5f7

    SHA512

    5d508d4f98cf6184870e4b476638d09ddeef777e0e372a59c3e97428d54df1496640d2948538cc4243f8fd293ac0a48d14cba1ec6620a888d533fb23fdd7db02

    Download Submit

  • C:\Users\Admin\AppData\Roaming\leadentop\bestof.exe
    MD5

    e8cf0e1662dbf0059e06baa644cfe52c

    SHA1

    8b278efbe3666da07725a7dfd512c7aa9e12379b

    SHA256

    13b4456c19c9552d5986582cb97c22888d70f93b88d4f7445ad1c126ef27f5f7

    SHA512

    5d508d4f98cf6184870e4b476638d09ddeef777e0e372a59c3e97428d54df1496640d2948538cc4243f8fd293ac0a48d14cba1ec6620a888d533fb23fdd7db02

    Download Submit

  • memory/584-27-0x0000000000000000-mapping.dmp

    Download

  • memory/2296-26-0x0000000000000000-mapping.dmp

    Download

  • memory/2604-2-0x00000000054D4000-0x00000000054D5000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-3-0x00000000055D0000-0x00000000055D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-14-0x0000000009DD0000-0x0000000009DD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-17-0x000000000A4A0000-0x000000000A4A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-10-0x0000000072A60000-0x000000007314E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2928-11-0x0000000007290000-0x00000000072B4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2928-12-0x00000000098D0000-0x00000000098D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-13-0x0000000009820000-0x0000000009842000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2928-8-0x00000000055B0000-0x00000000055B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-15-0x000000000A410000-0x000000000A411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-16-0x000000000A450000-0x000000000A451000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-9-0x0000000007150000-0x0000000007151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-18-0x000000000A620000-0x000000000A621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-19-0x000000000B310000-0x000000000B311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-20-0x000000000B4E0000-0x000000000B4E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-21-0x000000000BB20000-0x000000000BB21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-22-0x000000000BBC0000-0x000000000BBC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-23-0x000000000BC50000-0x000000000BC51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-24-0x000000000BEB0000-0x000000000BEB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-25-0x000000000D110000-0x000000000D111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-7-0x0000000005241000-0x0000000005242000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-4-0x0000000000000000-mapping.dmp

    Download