Overview

overview

10

Static

static

8

87d557bfd2...28.exe

windows7_x64

10

87d557bfd2...28.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    24-12-2020 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87d557bfd2d8ec6c148f7ab47ee89d28.exe

  • Size

    689KB

  • MD5

    87d557bfd2d8ec6c148f7ab47ee89d28

  • SHA1

    60e82a3efc232f93bc05762d25915d89726ba4cc

  • SHA256

    29197441b575d43a6acc86da8d4169458502f08ed7de1c052a1b300af2012936

  • SHA512

    eee5c74d3cf67aa6553023d0bdcc8ada985d02bc898d4cbd48124df0a0a1d6db8a4ef16fafb3b629e05db82f8e2507ac9c85a994e65ca6f437e191030309182e

Score
10/10
redlinediscoveryinfostealerspywareupx

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87d557bfd2d8ec6c148f7ab47ee89d28.exe
    "C:\Users\Admin\AppData\Local\Temp\87d557bfd2d8ec6c148f7ab47ee89d28.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:732
    • C:\Users\Admin\AppData\Roaming\leadentop\bestof.exe
      bestof.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:488
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3892
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 3
          4⤵
          • Runs ping.exe
          PID:1160

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\leadentop\bestof.exe
    MD5

    e8cf0e1662dbf0059e06baa644cfe52c

    SHA1

    8b278efbe3666da07725a7dfd512c7aa9e12379b

    SHA256

    13b4456c19c9552d5986582cb97c22888d70f93b88d4f7445ad1c126ef27f5f7

    SHA512

    5d508d4f98cf6184870e4b476638d09ddeef777e0e372a59c3e97428d54df1496640d2948538cc4243f8fd293ac0a48d14cba1ec6620a888d533fb23fdd7db02

    Download Submit

  • C:\Users\Admin\AppData\Roaming\leadentop\bestof.exe
    MD5

    e8cf0e1662dbf0059e06baa644cfe52c

    SHA1

    8b278efbe3666da07725a7dfd512c7aa9e12379b

    SHA256

    13b4456c19c9552d5986582cb97c22888d70f93b88d4f7445ad1c126ef27f5f7

    SHA512

    5d508d4f98cf6184870e4b476638d09ddeef777e0e372a59c3e97428d54df1496640d2948538cc4243f8fd293ac0a48d14cba1ec6620a888d533fb23fdd7db02

    Download Submit

  • memory/488-14-0x0000000009FA0000-0x0000000009FA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/488-25-0x000000000D120000-0x000000000D121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/488-15-0x00000000098F0000-0x00000000098F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/488-7-0x0000000005421000-0x0000000005422000-memory.dmp

    Filesize

    4KB

    Download

  • memory/488-8-0x0000000005510000-0x0000000005511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/488-9-0x0000000007250000-0x0000000007251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/488-10-0x0000000072200000-0x00000000728EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/488-11-0x0000000007030000-0x0000000007054000-memory.dmp

    Filesize

    144KB

    Download

  • memory/488-12-0x0000000009AA0000-0x0000000009AA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/488-13-0x00000000072D0000-0x00000000072F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/488-24-0x000000000BEB0000-0x000000000BEB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/488-4-0x0000000000000000-mapping.dmp

    Download

  • memory/488-18-0x000000000A620000-0x000000000A621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/488-17-0x0000000009980000-0x0000000009981000-memory.dmp

    Filesize

    4KB

    Download

  • memory/488-16-0x0000000009930000-0x0000000009931000-memory.dmp

    Filesize

    4KB

    Download

  • memory/488-19-0x000000000B310000-0x000000000B311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/488-20-0x000000000B4E0000-0x000000000B4E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/488-21-0x000000000BB20000-0x000000000BB21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/488-22-0x000000000BBC0000-0x000000000BBC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/488-23-0x000000000BC50000-0x000000000BC51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/732-3-0x0000000005510000-0x0000000005511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/732-2-0x0000000005414000-0x0000000005415000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1160-27-0x0000000000000000-mapping.dmp

    Download

  • memory/3892-26-0x0000000000000000-mapping.dmp

    Download