Analysis
-
max time kernel
43s -
max time network
42s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-03-2021 15:16
Static task
static1
Behavioral task
behavioral1
Sample
965212c139d8c474ed69ff3c33b88be4.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
965212c139d8c474ed69ff3c33b88be4.exe
Resource
win10v20201028
General
-
Target
965212c139d8c474ed69ff3c33b88be4.exe
-
Size
521KB
-
MD5
965212c139d8c474ed69ff3c33b88be4
-
SHA1
cce8ddf99da03113f80cd0e3e1368186468d904d
-
SHA256
fc1c966dd0ac73c1e2aae4287b1480ba9d27d01accc069a9a69d2a4fc9f1a6a9
-
SHA512
f9f37bbbacffcd4eed9ac7d4a66c9d5d0f0b0c85ec93e03712e1d238ace52f718beec08a5fc921b6a2d6d4084d1a4280258c188c514a6e0548ebde81afe9fd12
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
Processes:
VersiumResearc.exeVersiumResearch.exeVersiumRes.exepid process 1692 VersiumResearc.exe 292 VersiumResearch.exe 1000 VersiumRes.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
VersiumRes.exeVersiumResearc.exedescription pid process target process PID 1000 set thread context of 1844 1000 VersiumRes.exe AddInProcess32.exe PID 1692 set thread context of 1652 1692 VersiumResearc.exe AddInProcess32.exe -
Processes:
965212c139d8c474ed69ff3c33b88be4.exeVersiumRes.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 965212c139d8c474ed69ff3c33b88be4.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 965212c139d8c474ed69ff3c33b88be4.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 965212c139d8c474ed69ff3c33b88be4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 VersiumRes.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 VersiumRes.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
AddInProcess32.exeVersiumResearch.exeAddInProcess32.exepid process 1844 AddInProcess32.exe 292 VersiumResearch.exe 1652 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
VersiumRes.exeVersiumResearch.exeAddInProcess32.exeVersiumResearc.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 1000 VersiumRes.exe Token: SeDebugPrivilege 292 VersiumResearch.exe Token: SeDebugPrivilege 1844 AddInProcess32.exe Token: SeDebugPrivilege 1692 VersiumResearc.exe Token: SeDebugPrivilege 1652 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
965212c139d8c474ed69ff3c33b88be4.exeVersiumRes.exeVersiumResearc.exeAddInProcess32.execmd.exedescription pid process target process PID 1656 wrote to memory of 1692 1656 965212c139d8c474ed69ff3c33b88be4.exe VersiumResearc.exe PID 1656 wrote to memory of 1692 1656 965212c139d8c474ed69ff3c33b88be4.exe VersiumResearc.exe PID 1656 wrote to memory of 1692 1656 965212c139d8c474ed69ff3c33b88be4.exe VersiumResearc.exe PID 1656 wrote to memory of 1692 1656 965212c139d8c474ed69ff3c33b88be4.exe VersiumResearc.exe PID 1656 wrote to memory of 292 1656 965212c139d8c474ed69ff3c33b88be4.exe VersiumResearch.exe PID 1656 wrote to memory of 292 1656 965212c139d8c474ed69ff3c33b88be4.exe VersiumResearch.exe PID 1656 wrote to memory of 292 1656 965212c139d8c474ed69ff3c33b88be4.exe VersiumResearch.exe PID 1656 wrote to memory of 292 1656 965212c139d8c474ed69ff3c33b88be4.exe VersiumResearch.exe PID 1656 wrote to memory of 1000 1656 965212c139d8c474ed69ff3c33b88be4.exe VersiumRes.exe PID 1656 wrote to memory of 1000 1656 965212c139d8c474ed69ff3c33b88be4.exe VersiumRes.exe PID 1656 wrote to memory of 1000 1656 965212c139d8c474ed69ff3c33b88be4.exe VersiumRes.exe PID 1656 wrote to memory of 1000 1656 965212c139d8c474ed69ff3c33b88be4.exe VersiumRes.exe PID 1000 wrote to memory of 1844 1000 VersiumRes.exe AddInProcess32.exe PID 1000 wrote to memory of 1844 1000 VersiumRes.exe AddInProcess32.exe PID 1000 wrote to memory of 1844 1000 VersiumRes.exe AddInProcess32.exe PID 1000 wrote to memory of 1844 1000 VersiumRes.exe AddInProcess32.exe PID 1000 wrote to memory of 1844 1000 VersiumRes.exe AddInProcess32.exe PID 1000 wrote to memory of 1844 1000 VersiumRes.exe AddInProcess32.exe PID 1000 wrote to memory of 1844 1000 VersiumRes.exe AddInProcess32.exe PID 1000 wrote to memory of 1844 1000 VersiumRes.exe AddInProcess32.exe PID 1000 wrote to memory of 1844 1000 VersiumRes.exe AddInProcess32.exe PID 1692 wrote to memory of 1652 1692 VersiumResearc.exe AddInProcess32.exe PID 1692 wrote to memory of 1652 1692 VersiumResearc.exe AddInProcess32.exe PID 1692 wrote to memory of 1652 1692 VersiumResearc.exe AddInProcess32.exe PID 1692 wrote to memory of 1652 1692 VersiumResearc.exe AddInProcess32.exe PID 1692 wrote to memory of 1652 1692 VersiumResearc.exe AddInProcess32.exe PID 1692 wrote to memory of 1652 1692 VersiumResearc.exe AddInProcess32.exe PID 1692 wrote to memory of 1652 1692 VersiumResearc.exe AddInProcess32.exe PID 1692 wrote to memory of 1652 1692 VersiumResearc.exe AddInProcess32.exe PID 1692 wrote to memory of 1652 1692 VersiumResearc.exe AddInProcess32.exe PID 1844 wrote to memory of 888 1844 AddInProcess32.exe cmd.exe PID 1844 wrote to memory of 888 1844 AddInProcess32.exe cmd.exe PID 1844 wrote to memory of 888 1844 AddInProcess32.exe cmd.exe PID 1844 wrote to memory of 888 1844 AddInProcess32.exe cmd.exe PID 888 wrote to memory of 1060 888 cmd.exe reg.exe PID 888 wrote to memory of 1060 888 cmd.exe reg.exe PID 888 wrote to memory of 1060 888 cmd.exe reg.exe PID 888 wrote to memory of 1060 888 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\965212c139d8c474ed69ff3c33b88be4.exe"C:\Users\Admin\AppData\Local\Temp\965212c139d8c474ed69ff3c33b88be4.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\VersiumResearc.exeC:\Users\Admin\AppData\Local\Temp\VersiumResearc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\VersiumResearch.exeC:\Users\Admin\AppData\Local\Temp\VersiumResearch.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:292 -
C:\Users\Admin\AppData\Local\Temp\VersiumRes.exeC:\Users\Admin\AppData\Local\Temp\VersiumRes.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C reg add HKEY_CURRENT_USER\Software\DataFinder\keycheck /v Status /t REG_DWORD /d 1 && reg add HKEY_CURRENT_USER\Software\DataFinder\VersiumResearch /v Status /t REG_DWORD /d 14⤵
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\DataFinder\keycheck /v Status /t REG_DWORD /d 15⤵PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7959ab8670c919f85a98c231079739c8
SHA1251792b13b125bdec88fe59244864da038fb4a27
SHA2561d4a8313f0e48235cd8df99469b602d049ed558d82fc1e283476600e4149a145
SHA512ab123560fdf39be963882f75cc1434ada2d14486cc9e0e4be11dcf79b046e1a19ff26ff28fd4a3a46c11b7526d29eaded77a4cd7d7e713fea268f62dfcff0841
-
MD5
7959ab8670c919f85a98c231079739c8
SHA1251792b13b125bdec88fe59244864da038fb4a27
SHA2561d4a8313f0e48235cd8df99469b602d049ed558d82fc1e283476600e4149a145
SHA512ab123560fdf39be963882f75cc1434ada2d14486cc9e0e4be11dcf79b046e1a19ff26ff28fd4a3a46c11b7526d29eaded77a4cd7d7e713fea268f62dfcff0841
-
MD5
bda1efdad61372b0b12a4277e9558484
SHA1dc9be4e90eaacbf08b4b04d71b5fe17cd752e6a6
SHA2563a959095c9ef35d13c356c3236798cd6f4cdfab08bfddc618aa63875784ff3fc
SHA5127b9e715627c6300075eeee8ec861e32ba96b855ce5857d7adb7518061cea5a48237b2cf886b5cfef88f40934f90656d8a64b7286dcb303ab44a4846c010edec1
-
MD5
bda1efdad61372b0b12a4277e9558484
SHA1dc9be4e90eaacbf08b4b04d71b5fe17cd752e6a6
SHA2563a959095c9ef35d13c356c3236798cd6f4cdfab08bfddc618aa63875784ff3fc
SHA5127b9e715627c6300075eeee8ec861e32ba96b855ce5857d7adb7518061cea5a48237b2cf886b5cfef88f40934f90656d8a64b7286dcb303ab44a4846c010edec1
-
MD5
aedd7327b99ed5177d43ed7758f1ebff
SHA146137683ee73646c9aa05ed27b661ad2ecbe9c20
SHA2560d6704a682e281399df401b4aac628f0ff16826b31e2c61df32919e77c55edf8
SHA51268b35c614d38064fed6dbaf34a06063445fd4433b15776431ffefaaafda4ea29bbcdf427bd3a835287debc8dec447efb4443f19bded463b1230819928360a392
-
MD5
aedd7327b99ed5177d43ed7758f1ebff
SHA146137683ee73646c9aa05ed27b661ad2ecbe9c20
SHA2560d6704a682e281399df401b4aac628f0ff16826b31e2c61df32919e77c55edf8
SHA51268b35c614d38064fed6dbaf34a06063445fd4433b15776431ffefaaafda4ea29bbcdf427bd3a835287debc8dec447efb4443f19bded463b1230819928360a392