Overview

overview

10

Static

static

1adbb0c636...1a.exe

windows7_x64

10

1adbb0c636...1a.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    10-03-2021 08:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1adbb0c6365fbd5055f234acd6bfd01a.exe

  • Size

    882KB

  • MD5

    1adbb0c6365fbd5055f234acd6bfd01a

  • SHA1

    5aae335d0716f476ca2834d6433eae822ff1d614

  • SHA256

    87a7b8a96e23c4877698d665dcce69b7ef434e86fb82610193b9a1d503c02fe6

  • SHA512

    8503bfbcbe7fe620fe87592abe32f0f31fcc82c18d88073b33b8a1f2ae465fcf10d50bfb5e5ebb3f4638257238a05a4a131e62da7726eef4d2b0e752d20b5b43

Score
10/10
redlinediscoveryinfostealerspyware

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1adbb0c6365fbd5055f234acd6bfd01a.exe
    "C:\Users\Admin\AppData\Local\Temp\1adbb0c6365fbd5055f234acd6bfd01a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1020
    • C:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
      C:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
        "{path}"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1532
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/2EVjA5
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:400
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:400 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
    MD5

    b4374d21ebb16da6b2900a4959e46910

    SHA1

    13c11a3abc2c5c930a46449637c79067c07501ea

    SHA256

    3f93946193930f305bd0c2f82ce462a6de400072ef0bc2b059ae1aeebb435b13

    SHA512

    e95d1d691398778ba431bd3487e0146bcd51a7d48babc2c62f8f6d3a374bc0089792c40d03b40073004d267a8642d151cfa2ee9863b5f5e6395f6007325f6e39

    Download Submit
  • C:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
    MD5

    b4374d21ebb16da6b2900a4959e46910

    SHA1

    13c11a3abc2c5c930a46449637c79067c07501ea

    SHA256

    3f93946193930f305bd0c2f82ce462a6de400072ef0bc2b059ae1aeebb435b13

    SHA512

    e95d1d691398778ba431bd3487e0146bcd51a7d48babc2c62f8f6d3a374bc0089792c40d03b40073004d267a8642d151cfa2ee9863b5f5e6395f6007325f6e39

    Download Submit
  • C:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
    MD5

    b4374d21ebb16da6b2900a4959e46910

    SHA1

    13c11a3abc2c5c930a46449637c79067c07501ea

    SHA256

    3f93946193930f305bd0c2f82ce462a6de400072ef0bc2b059ae1aeebb435b13

    SHA512

    e95d1d691398778ba431bd3487e0146bcd51a7d48babc2c62f8f6d3a374bc0089792c40d03b40073004d267a8642d151cfa2ee9863b5f5e6395f6007325f6e39

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    MD5

    61a03d15cf62612f50b74867090dbe79

    SHA1

    15228f34067b4b107e917bebaf17cc7c3c1280a8

    SHA256

    f9e23dc21553daa34c6eb778cd262831e466ce794f4bea48150e8d70d3e6af6d

    SHA512

    5fece89ccbbf994e4f1e3ef89a502f25a72f359d445c034682758d26f01d9f3aa20a43010b9a87f2687da7ba201476922aa46d4906d442d56eb59b2b881259d3

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    7e2f44e5305a72af391feb728f15007a

    SHA1

    379730e3021eb1bfba864e70fe5145f564c449ad

    SHA256

    ea483ecdaf2e40b7b438f92049e2490dd2cf97fc8dcd87908b88cfdd2a0ebd69

    SHA512

    445909444699ef78ab38e5e0519fdd8a213a24de44c9a09821598a943fafead5ced8d6e80a14e2cb8bda916905fe30c55cd6fa268b73683088abeb6e90c9450e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s7iy1jn\imagestore.dat
    MD5

    18890fc8c8730ba342b8a64d73f5c024

    SHA1

    3a6da3938a9c289b4977cc535d84e2d3493b0681

    SHA256

    99269ed6580b9822f9d82c758714fb5d22df50ba824fa27d842fe14493ea2ceb

    SHA512

    6e64ccc94067e9a498e85ae5b25f208b43f11a90c17652735954d1aaf2a56eaaaf61c44221a415c12b6d2450b2150f6949c10ba8396afe9fd4d646385e7c6152

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FCAEWUPV.txt
    MD5

    52c68355b0fc437d3efbcc9362df00e4

    SHA1

    c5f8621e809bfca23fe93e2077c456d58eacb899

    SHA256

    a49c63dfddeb1637989e73a37255ad58fe4398ea29b5d10515567f660c350178

    SHA512

    5ce82236ecc696194eb400dde7720b6b9a35546b61bc448d23b8ec187ed31455bf4eecab56197566c27afc35c7e2446a5a1f695942b56b9a61da0851c98c4913

    Download Submit
  • \ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
    MD5

    b4374d21ebb16da6b2900a4959e46910

    SHA1

    13c11a3abc2c5c930a46449637c79067c07501ea

    SHA256

    3f93946193930f305bd0c2f82ce462a6de400072ef0bc2b059ae1aeebb435b13

    SHA512

    e95d1d691398778ba431bd3487e0146bcd51a7d48babc2c62f8f6d3a374bc0089792c40d03b40073004d267a8642d151cfa2ee9863b5f5e6395f6007325f6e39

    Download Submit
  • memory/400-8-0x0000000000000000-mapping.dmp
    Download
  • memory/860-12-0x0000000000000000-mapping.dmp
    Download
  • memory/1020-2-0x00000000753E1000-0x00000000753E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1312-3-0x000007FEF5BD0000-0x000007FEF5E4A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1532-21-0x00000000738B0000-0x0000000073F9E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1532-18-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1532-19-0x000000000041F3A6-mapping.dmp
    Download
  • memory/1532-22-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1532-24-0x00000000044B0000-0x00000000044B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1688-16-0x0000000004C70000-0x0000000004CDC000-memory.dmp
    Filesize

    432KB

    Download
  • memory/1688-17-0x0000000002000000-0x000000000202C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1688-15-0x0000000000530000-0x0000000000532000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1688-13-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1688-10-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1688-9-0x00000000738B0000-0x0000000073F9E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1688-5-0x0000000000000000-mapping.dmp
    Download