Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-12-2020 17:06
Static task
static1
Behavioral task
behavioral1
Sample
860ba1abb7492b10512445c13994b685.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
860ba1abb7492b10512445c13994b685.exe
Resource
win10v20201028
General
-
Target
860ba1abb7492b10512445c13994b685.exe
-
Size
595KB
-
MD5
860ba1abb7492b10512445c13994b685
-
SHA1
2eaedfa31c5906b83696d9d966285f23d1512a0b
-
SHA256
8ec19d4e2e49adcd9c4b08b769f3d8cab2708d7cba29dc47eb85673b78f35103
-
SHA512
89e86190c4c30de5d0a49ca11c9dd73f87ac9216ed8f92d5120e808a8c99f1e9b0863a0418aad0adde02d636b7bc85a22f45130cbf2da2cb41d592e227bc8204
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1256-16-0x00000000050D0000-0x00000000050F4000-memory.dmp family_redline behavioral1/memory/1256-17-0x00000000069C0000-0x00000000069E2000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
bestof.exepid process 1256 bestof.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\leadentop\bestof.exe upx C:\Users\Admin\AppData\Roaming\leadentop\bestof.exe upx -
Loads dropped DLL 1 IoCs
Processes:
860ba1abb7492b10512445c13994b685.exepid process 1208 860ba1abb7492b10512445c13994b685.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
860ba1abb7492b10512445c13994b685.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 860ba1abb7492b10512445c13994b685.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 860ba1abb7492b10512445c13994b685.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bestof.exedescription pid process Token: SeDebugPrivilege 1256 bestof.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
860ba1abb7492b10512445c13994b685.exedescription pid process target process PID 1208 wrote to memory of 1256 1208 860ba1abb7492b10512445c13994b685.exe bestof.exe PID 1208 wrote to memory of 1256 1208 860ba1abb7492b10512445c13994b685.exe bestof.exe PID 1208 wrote to memory of 1256 1208 860ba1abb7492b10512445c13994b685.exe bestof.exe PID 1208 wrote to memory of 1256 1208 860ba1abb7492b10512445c13994b685.exe bestof.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\860ba1abb7492b10512445c13994b685.exe"C:\Users\Admin\AppData\Local\Temp\860ba1abb7492b10512445c13994b685.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Roaming\leadentop\bestof.exebestof.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ce62304c3eff639e1b2352667a569b8a
SHA15a5cb774b59befe102fe04e93d9853cfbda3334b
SHA256e8356fad49709d2563d2707dbb09f4f1019e30a0ff5836047a11b3d1d84f4d62
SHA51299d77537f2fade1ca2255c16fcd5d64618f0364f15cddb1b6a48814c9a7e59ccdac72db7f0a1cf4b0eac63180264fd58989e43839373d085ecb42ad2b9fe6f41
-
MD5
ce62304c3eff639e1b2352667a569b8a
SHA15a5cb774b59befe102fe04e93d9853cfbda3334b
SHA256e8356fad49709d2563d2707dbb09f4f1019e30a0ff5836047a11b3d1d84f4d62
SHA51299d77537f2fade1ca2255c16fcd5d64618f0364f15cddb1b6a48814c9a7e59ccdac72db7f0a1cf4b0eac63180264fd58989e43839373d085ecb42ad2b9fe6f41