Overview

overview

10

Static

static

2a4dd042c4...56.exe

windows7_x64

10

2a4dd042c4...56.exe

windows10_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03-03-2021 06:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a4dd042c4fa1dbe3976301e7e960a56.exe

  • Size

    586KB

  • MD5

    2a4dd042c4fa1dbe3976301e7e960a56

  • SHA1

    6f85a75e658e65e5d028f7c5262a74c40f32c19e

  • SHA256

    6343e83da8699df5471ed6ef0364606e6918b9aeb8f94de5bf6759440992537b

  • SHA512

    e9b8a01a6420c459b469db5ff03ba0ab5b4663cd1ef6edde83d07aedb3e6001017f7a9013f09e9ca4e8fae4665e7a06f9b4508ed4e4e0a974efef2b7799f2fef

Score
10/10
redlinediscoveryinfostealerspyware

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a4dd042c4fa1dbe3976301e7e960a56.exe
    "C:\Users\Admin\AppData\Local\Temp\2a4dd042c4fa1dbe3976301e7e960a56.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:3584
    • C:\Users\Admin\AppData\Roaming\purefoe\noabu.exe
      noabu.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\purefoe\noabu.exe
    MD5

    3559653e624d3f27360f1b64e5251b5e

    SHA1

    6e1329621f3c3263cdea637ac041657a51fe53b8

    SHA256

    cd9c2cdb807a8c65e1804c98dfc631ef86fd0d0248f99da9465c061c34142995

    SHA512

    434955f1a953f05e9db9ee764ded89adecf478b841eeabfa9f01ebbbd9198ba49a0481b950dc52b94c101d0db30a74f9384ed326a69cdfeb46b5551505fc8aa0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\purefoe\noabu.exe
    MD5

    3559653e624d3f27360f1b64e5251b5e

    SHA1

    6e1329621f3c3263cdea637ac041657a51fe53b8

    SHA256

    cd9c2cdb807a8c65e1804c98dfc631ef86fd0d0248f99da9465c061c34142995

    SHA512

    434955f1a953f05e9db9ee764ded89adecf478b841eeabfa9f01ebbbd9198ba49a0481b950dc52b94c101d0db30a74f9384ed326a69cdfeb46b5551505fc8aa0

    Download Submit
  • memory/3584-3-0x0000000003110000-0x00000000031DF000-memory.dmp
    Filesize

    828KB

    Download
  • memory/3584-4-0x0000000000400000-0x00000000004D5000-memory.dmp
    Filesize

    852KB

    Download
  • memory/3584-2-0x0000000003290000-0x0000000003291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-21-0x00000000073A2000-0x00000000073A3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-24-0x00000000073A4000-0x00000000073A6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3948-13-0x0000000004B30000-0x0000000004B31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-14-0x0000000002F40000-0x0000000002F75000-memory.dmp
    Filesize

    212KB

    Download
  • memory/3948-15-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/3948-16-0x0000000072A20000-0x000000007310E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3948-17-0x0000000004980000-0x00000000049AA000-memory.dmp
    Filesize

    168KB

    Download
  • memory/3948-18-0x00000000073B0000-0x00000000073B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-19-0x0000000004CD0000-0x0000000004CF8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/3948-9-0x0000000000000000-mapping.dmp
    Download
  • memory/3948-20-0x00000000073A0000-0x00000000073A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-22-0x00000000073A3000-0x00000000073A4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-23-0x0000000007300000-0x0000000007301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-12-0x0000000003160000-0x0000000003161000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-25-0x0000000007DB0000-0x0000000007DB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-26-0x0000000007F90000-0x0000000007F91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-27-0x0000000008620000-0x0000000008621000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-28-0x0000000008640000-0x0000000008641000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-29-0x00000000087B0000-0x00000000087B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-30-0x0000000008930000-0x0000000008931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-31-0x0000000009140000-0x0000000009141000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-32-0x0000000009320000-0x0000000009321000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-33-0x0000000009960000-0x0000000009961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-34-0x0000000009A10000-0x0000000009A11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-35-0x000000000A260000-0x000000000A261000-memory.dmp
    Filesize

    4KB

    Download