Analysis
-
max time kernel
58s -
max time network
59s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 13:04
Static task
static1
Behavioral task
behavioral1
Sample
trainer v5.1.3.exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
trainer v5.1.3.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
trainer v5.1.3.exe
Resource
win10v20210410
Behavioral task
behavioral4
Sample
trainer v5.1.3.exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
trainer v5.1.3.exe
Resource
win7v20210410
General
-
Target
trainer v5.1.3.exe
-
Size
1.5MB
-
MD5
d411460e9cf04cd64bdc25345bc9783b
-
SHA1
3374f053e1b9d40558c65bd363a3bae336a76cc8
-
SHA256
d47a34d18de0c08fa32f88fabb0123de6521b20f21a955f050c019a89360acb8
-
SHA512
8b8b8b9054daedd9f39682ab3d44f757f28085e028e4b666bca17a997e61c48b52cadbfefb851da0b4b4d2979ecd399f55e74bc0c9dd29b44cc26022fb26bd07
Malware Config
Extracted
redline
Studio Product
93.114.128.190:49966
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1504-129-0x0000000000E00000-0x0000000000E76000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
Gioco.exe.comGioco.exe.comRegAsm.exepid process 2116 Gioco.exe.com 1956 Gioco.exe.com 1504 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Gioco.exe.comdescription pid process target process PID 1956 set thread context of 1504 1956 Gioco.exe.com RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1504 RegAsm.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
trainer v5.1.3.execmd.execmd.exeGioco.exe.comGioco.exe.comdescription pid process target process PID 3152 wrote to memory of 2696 3152 trainer v5.1.3.exe makecab.exe PID 3152 wrote to memory of 2696 3152 trainer v5.1.3.exe makecab.exe PID 3152 wrote to memory of 2696 3152 trainer v5.1.3.exe makecab.exe PID 3152 wrote to memory of 3648 3152 trainer v5.1.3.exe cmd.exe PID 3152 wrote to memory of 3648 3152 trainer v5.1.3.exe cmd.exe PID 3152 wrote to memory of 3648 3152 trainer v5.1.3.exe cmd.exe PID 3648 wrote to memory of 2784 3648 cmd.exe cmd.exe PID 3648 wrote to memory of 2784 3648 cmd.exe cmd.exe PID 3648 wrote to memory of 2784 3648 cmd.exe cmd.exe PID 2784 wrote to memory of 2072 2784 cmd.exe findstr.exe PID 2784 wrote to memory of 2072 2784 cmd.exe findstr.exe PID 2784 wrote to memory of 2072 2784 cmd.exe findstr.exe PID 2784 wrote to memory of 2116 2784 cmd.exe Gioco.exe.com PID 2784 wrote to memory of 2116 2784 cmd.exe Gioco.exe.com PID 2784 wrote to memory of 2116 2784 cmd.exe Gioco.exe.com PID 2784 wrote to memory of 3948 2784 cmd.exe PING.EXE PID 2784 wrote to memory of 3948 2784 cmd.exe PING.EXE PID 2784 wrote to memory of 3948 2784 cmd.exe PING.EXE PID 2116 wrote to memory of 1956 2116 Gioco.exe.com Gioco.exe.com PID 2116 wrote to memory of 1956 2116 Gioco.exe.com Gioco.exe.com PID 2116 wrote to memory of 1956 2116 Gioco.exe.com Gioco.exe.com PID 1956 wrote to memory of 1504 1956 Gioco.exe.com RegAsm.exe PID 1956 wrote to memory of 1504 1956 Gioco.exe.com RegAsm.exe PID 1956 wrote to memory of 1504 1956 Gioco.exe.com RegAsm.exe PID 1956 wrote to memory of 1504 1956 Gioco.exe.com RegAsm.exe PID 1956 wrote to memory of 1504 1956 Gioco.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\trainer v5.1.3.exe"C:\Users\Admin\AppData\Local\Temp\trainer v5.1.3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\makecab.exe"C:\Windows\System32\makecab.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c JkufaXUkEbtZKZPMlStRRa & cmd < Miniato.mov2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^vvXPvIZBSPsLqkjJdLToMnnequtyvTHFhPngzExHHmCWDLLeyacGhGzXYUOdETyZoLnkMYdMsjAjWBmfxwqrbws$" Sembri.mov4⤵
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Gioco.exe.comGioco.exe.com D4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Gioco.exe.comC:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Gioco.exe.com D5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\RegAsm.exeC:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\RegAsm.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Appare.movMD5
eb756ee1e6ae2ea1e629ee55688da47f
SHA1885730d556073dcfaefb4674051ca41629a12648
SHA2567c15c0956b029e76c3be33e053cef48db61d77db560705491f020e9c1e901e36
SHA512d8dc3e72ec991b4a25188e83d4a8ea94b2c8abb3346d45192bed084e90462a1d03953c5e674afb217cec846851095cd595f3d905c00429583e40d8342cbdc6e2
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\DMD5
22f98d3d92047a62e6f142fd432bfece
SHA1740f9220aaa2de9b5db7b8bb55cef0035a5c52d1
SHA256e9cd04d181350d3590cbf53ff7d14b18448346a60e4584bd6877dc4749694f59
SHA512fa107a98ca604c08d563cf497646b5efd53c781ca020abf67111567903700e23d53802c986db619b1fafb9794b55979cad6322a88150869f22fd92e8d1b9be70
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Gioco.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Gioco.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Miniato.movMD5
ae0b54f7a6a94dc4005a8faf4d192052
SHA1605744bbd37c6506bcb68c71f0179fed6c3fae6f
SHA25641b677624c7b9490f40c2640b81b6b039ca709d25e5edf5f444ac4fa3edd9058
SHA51240da247000660104aa613c4a279102bd489cb3244270b3664ace5eeed20e87e74727d27440c30d2171308613f8f159f3a04bda2e0d62cc5f8ec52931c2f46cfa
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Riconosco.movMD5
22f98d3d92047a62e6f142fd432bfece
SHA1740f9220aaa2de9b5db7b8bb55cef0035a5c52d1
SHA256e9cd04d181350d3590cbf53ff7d14b18448346a60e4584bd6877dc4749694f59
SHA512fa107a98ca604c08d563cf497646b5efd53c781ca020abf67111567903700e23d53802c986db619b1fafb9794b55979cad6322a88150869f22fd92e8d1b9be70
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Sembri.movMD5
f04ed5a4b31423f610e9021bf8e1f5ac
SHA1022e175fa951ecbf749d873563f6d26971fb5f3a
SHA256ebf40e49ca0fc49d54cb132df4be0e40f256756a374fca3257434963bb4cc3b3
SHA512e156e6cc1a6b2a604f87fbd250df9da410397305884c95a48f99a87f819fae2abdb3d5a3c1f83e3d57a1002f1374216873348713d8924dd7b324c17f1d2120b2
-
memory/1504-140-0x0000000005E70000-0x0000000005E71000-memory.dmpFilesize
4KB
-
memory/1504-141-0x0000000008050000-0x0000000008051000-memory.dmpFilesize
4KB
-
memory/1504-139-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/1504-137-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/1504-142-0x00000000086D0000-0x00000000086D1000-memory.dmpFilesize
4KB
-
memory/1504-138-0x0000000005C50000-0x0000000005C51000-memory.dmpFilesize
4KB
-
memory/1504-129-0x0000000000E00000-0x0000000000E76000-memory.dmpFilesize
472KB
-
memory/1504-143-0x0000000008DD0000-0x0000000008DD1000-memory.dmpFilesize
4KB
-
memory/1504-144-0x00000000088A0000-0x00000000088A1000-memory.dmpFilesize
4KB
-
memory/1504-134-0x0000000005F60000-0x0000000005F61000-memory.dmpFilesize
4KB
-
memory/1504-135-0x0000000006570000-0x0000000006571000-memory.dmpFilesize
4KB
-
memory/1504-136-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/1956-128-0x0000000001850000-0x0000000001851000-memory.dmpFilesize
4KB
-
memory/1956-125-0x0000000000000000-mapping.dmp
-
memory/2072-118-0x0000000000000000-mapping.dmp
-
memory/2116-121-0x0000000000000000-mapping.dmp
-
memory/2696-114-0x0000000000000000-mapping.dmp
-
memory/2784-117-0x0000000000000000-mapping.dmp
-
memory/3648-115-0x0000000000000000-mapping.dmp
-
memory/3948-124-0x0000000000000000-mapping.dmp