Static

static

8

53c599ee63...3a.exe

windows7_x64

10

53c599ee63...3a.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    28-12-2020 17:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53c599ee6324db60c4b394722d950d3a.exe

  • Size

    594KB

  • MD5

    53c599ee6324db60c4b394722d950d3a

  • SHA1

    7a5d027376db62faecbe44d866a908f3915fc4f1

  • SHA256

    0d828c5af228839b87308f801d19ce5ea0ffc333eee641390c089207f16a96bf

  • SHA512

    b0c24a3a70d3bfa22164e711fe2357f0f7241f46502e2cfc660d7e2b2a76a4ad571f0044c44a1a547fe08b3432575e3eab286ec14cd699f3cac9ef5f1d7f8f9f

Score
10/10
redlineinfostealerupx

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53c599ee6324db60c4b394722d950d3a.exe
    "C:\Users\Admin\AppData\Local\Temp\53c599ee6324db60c4b394722d950d3a.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Users\Admin\AppData\Roaming\leadentop\bestof.exe
      bestof.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2236

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1112-2-0x00000000050EB000-0x00000000050EC000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1112-3-0x0000000005420000-0x0000000005421000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2236-10-0x00000000723B0000-0x0000000072A9E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2236-7-0x00000000050C7000-0x00000000050C8000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2236-8-0x0000000005490000-0x0000000005491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2236-9-0x0000000006D70000-0x0000000006D71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2236-11-0x0000000006CA0000-0x0000000006CC4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2236-12-0x0000000009510000-0x0000000009511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2236-13-0x0000000009320000-0x0000000009342000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2236-14-0x0000000009A10000-0x0000000009A11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2236-15-0x00000000093C0000-0x00000000093C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2236-16-0x0000000009400000-0x0000000009401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2236-17-0x0000000009450000-0x0000000009451000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2236-18-0x000000000A0F0000-0x000000000A0F1000-memory.dmp

    Filesize

    4KB

    Download