Overview

overview

10

Static

static

1

cheat_417615128.exe

windows7_x64

10

cheat_417615128.exe

windows10_x64

8

tesetup.exe

windows7_x64

9

tesetup.exe

windows10_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cheat_417615128.zip

  • Size

    11.1MB

  • Sample

    210213-c1qqnm9z4s

  • MD5

    7071dcc8afe7e3fd51de78b7ed31dada

  • SHA1

    8c5cd664a95f66decfd69ff15869750e829da5ef

  • SHA256

    4c1baefb3e979faa7733ff1269d1909553eb583c9994c93e80207993ab05b414

  • SHA512

    6c0efc0f45338419a102f245084f2deb1c65ed9fb0dcc5cffdf17471226baa5cfd5c07374b3e5e46ed690b5271045dc4be8dcfec04b55d9ab7053ac85a89f641

Score
10/10
redlinediscoveryinfostealerpersistencespywareupx

Malware Config

Targets

    • Target

      cheat_417615128.exe

    • Size

      2.8MB

    • MD5

      ad5b3a6c1f20e8e3fdd53ccd00ceac4e

    • SHA1

      39983d7eb929e2ab3855bb0b6cf1fc9f644c2b1c

    • SHA256

      e8d312cec2a96d167a27898fbc99d5edaaa8b34e805bb57904561eec1f55e618

    • SHA512

      b46e751ed9db95fbeb966151bd84a6b5c1421d5e66ed291cf4a749cd9292a44968cfaeaa49502de5ca895e3fed8296d0fdc91dcbc05dfec6b19e418d3cf64b2b

    Score
    10/10
    redlinediscoveryinfostealerpersistencespyware

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Creates new service(s)

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      tesetup.exe

    • Size

      8.5MB

    • MD5

      e2117b1bcb242413dac0c2ab781185cf

    • SHA1

      87b125bd59fc9ff51e2b34ce7af0fcb63e4a906b

    • SHA256

      17f049fecfce6461a398d914d6c265d0e0a074fa601310698b436445135b4797

    • SHA512

      abdeb1512b4b4488b6b1c9fb0bfeba3cd5dae3eb3ac25d530497fd7cde4dc1dccd3fbc953afef404234b6c79e1d128b70807a332c54684cf17168b4eaba56362

    Score
    9/10
    discoveryupx

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1
T1050

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Modify Registry

4
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks