Analysis
-
max time kernel
271s -
max time network
274s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 13:04
Static task
static1
Behavioral task
behavioral1
Sample
trainer v5.1.3.exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
trainer v5.1.3.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
trainer v5.1.3.exe
Resource
win10v20210410
Behavioral task
behavioral4
Sample
trainer v5.1.3.exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
trainer v5.1.3.exe
Resource
win7v20210410
General
-
Target
trainer v5.1.3.exe
-
Size
1.5MB
-
MD5
d411460e9cf04cd64bdc25345bc9783b
-
SHA1
3374f053e1b9d40558c65bd363a3bae336a76cc8
-
SHA256
d47a34d18de0c08fa32f88fabb0123de6521b20f21a955f050c019a89360acb8
-
SHA512
8b8b8b9054daedd9f39682ab3d44f757f28085e028e4b666bca17a997e61c48b52cadbfefb851da0b4b4d2979ecd399f55e74bc0c9dd29b44cc26022fb26bd07
Malware Config
Extracted
redline
Studio Product
93.114.128.190:49966
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3712-129-0x0000000000900000-0x0000000000976000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
Gioco.exe.comGioco.exe.comRegAsm.exepid process 1324 Gioco.exe.com 4036 Gioco.exe.com 3712 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Gioco.exe.comdescription pid process target process PID 4036 set thread context of 3712 4036 Gioco.exe.com RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 3712 RegAsm.exe 3712 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3712 RegAsm.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
trainer v5.1.3.execmd.execmd.exeGioco.exe.comGioco.exe.comdescription pid process target process PID 4020 wrote to memory of 2600 4020 trainer v5.1.3.exe makecab.exe PID 4020 wrote to memory of 2600 4020 trainer v5.1.3.exe makecab.exe PID 4020 wrote to memory of 2600 4020 trainer v5.1.3.exe makecab.exe PID 4020 wrote to memory of 184 4020 trainer v5.1.3.exe cmd.exe PID 4020 wrote to memory of 184 4020 trainer v5.1.3.exe cmd.exe PID 4020 wrote to memory of 184 4020 trainer v5.1.3.exe cmd.exe PID 184 wrote to memory of 3256 184 cmd.exe cmd.exe PID 184 wrote to memory of 3256 184 cmd.exe cmd.exe PID 184 wrote to memory of 3256 184 cmd.exe cmd.exe PID 3256 wrote to memory of 2692 3256 cmd.exe findstr.exe PID 3256 wrote to memory of 2692 3256 cmd.exe findstr.exe PID 3256 wrote to memory of 2692 3256 cmd.exe findstr.exe PID 3256 wrote to memory of 1324 3256 cmd.exe Gioco.exe.com PID 3256 wrote to memory of 1324 3256 cmd.exe Gioco.exe.com PID 3256 wrote to memory of 1324 3256 cmd.exe Gioco.exe.com PID 1324 wrote to memory of 4036 1324 Gioco.exe.com Gioco.exe.com PID 1324 wrote to memory of 4036 1324 Gioco.exe.com Gioco.exe.com PID 1324 wrote to memory of 4036 1324 Gioco.exe.com Gioco.exe.com PID 3256 wrote to memory of 2112 3256 cmd.exe PING.EXE PID 3256 wrote to memory of 2112 3256 cmd.exe PING.EXE PID 3256 wrote to memory of 2112 3256 cmd.exe PING.EXE PID 4036 wrote to memory of 3712 4036 Gioco.exe.com RegAsm.exe PID 4036 wrote to memory of 3712 4036 Gioco.exe.com RegAsm.exe PID 4036 wrote to memory of 3712 4036 Gioco.exe.com RegAsm.exe PID 4036 wrote to memory of 3712 4036 Gioco.exe.com RegAsm.exe PID 4036 wrote to memory of 3712 4036 Gioco.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\trainer v5.1.3.exe"C:\Users\Admin\AppData\Local\Temp\trainer v5.1.3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\makecab.exe"C:\Windows\System32\makecab.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c JkufaXUkEbtZKZPMlStRRa & cmd < Miniato.mov2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^vvXPvIZBSPsLqkjJdLToMnnequtyvTHFhPngzExHHmCWDLLeyacGhGzXYUOdETyZoLnkMYdMsjAjWBmfxwqrbws$" Sembri.mov4⤵
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Gioco.exe.comGioco.exe.com D4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Gioco.exe.comC:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Gioco.exe.com D5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\RegAsm.exeC:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\RegAsm.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Appare.movMD5
eb756ee1e6ae2ea1e629ee55688da47f
SHA1885730d556073dcfaefb4674051ca41629a12648
SHA2567c15c0956b029e76c3be33e053cef48db61d77db560705491f020e9c1e901e36
SHA512d8dc3e72ec991b4a25188e83d4a8ea94b2c8abb3346d45192bed084e90462a1d03953c5e674afb217cec846851095cd595f3d905c00429583e40d8342cbdc6e2
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\DMD5
22f98d3d92047a62e6f142fd432bfece
SHA1740f9220aaa2de9b5db7b8bb55cef0035a5c52d1
SHA256e9cd04d181350d3590cbf53ff7d14b18448346a60e4584bd6877dc4749694f59
SHA512fa107a98ca604c08d563cf497646b5efd53c781ca020abf67111567903700e23d53802c986db619b1fafb9794b55979cad6322a88150869f22fd92e8d1b9be70
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Gioco.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Gioco.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Miniato.movMD5
ae0b54f7a6a94dc4005a8faf4d192052
SHA1605744bbd37c6506bcb68c71f0179fed6c3fae6f
SHA25641b677624c7b9490f40c2640b81b6b039ca709d25e5edf5f444ac4fa3edd9058
SHA51240da247000660104aa613c4a279102bd489cb3244270b3664ace5eeed20e87e74727d27440c30d2171308613f8f159f3a04bda2e0d62cc5f8ec52931c2f46cfa
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Riconosco.movMD5
22f98d3d92047a62e6f142fd432bfece
SHA1740f9220aaa2de9b5db7b8bb55cef0035a5c52d1
SHA256e9cd04d181350d3590cbf53ff7d14b18448346a60e4584bd6877dc4749694f59
SHA512fa107a98ca604c08d563cf497646b5efd53c781ca020abf67111567903700e23d53802c986db619b1fafb9794b55979cad6322a88150869f22fd92e8d1b9be70
-
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Sembri.movMD5
f04ed5a4b31423f610e9021bf8e1f5ac
SHA1022e175fa951ecbf749d873563f6d26971fb5f3a
SHA256ebf40e49ca0fc49d54cb132df4be0e40f256756a374fca3257434963bb4cc3b3
SHA512e156e6cc1a6b2a604f87fbd250df9da410397305884c95a48f99a87f819fae2abdb3d5a3c1f83e3d57a1002f1374216873348713d8924dd7b324c17f1d2120b2
-
memory/184-115-0x0000000000000000-mapping.dmp
-
memory/1324-121-0x0000000000000000-mapping.dmp
-
memory/2112-126-0x0000000000000000-mapping.dmp
-
memory/2600-114-0x0000000000000000-mapping.dmp
-
memory/2692-118-0x0000000000000000-mapping.dmp
-
memory/3256-117-0x0000000000000000-mapping.dmp
-
memory/3712-137-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/3712-138-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/3712-145-0x00000000097A0000-0x00000000097A1000-memory.dmpFilesize
4KB
-
memory/3712-134-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/3712-135-0x0000000006020000-0x0000000006021000-memory.dmpFilesize
4KB
-
memory/3712-136-0x0000000000D00000-0x0000000000D01000-memory.dmpFilesize
4KB
-
memory/3712-144-0x0000000008CF0000-0x0000000008CF1000-memory.dmpFilesize
4KB
-
memory/3712-129-0x0000000000900000-0x0000000000976000-memory.dmpFilesize
472KB
-
memory/3712-139-0x0000000005990000-0x0000000005991000-memory.dmpFilesize
4KB
-
memory/3712-140-0x00000000077A0000-0x00000000077A1000-memory.dmpFilesize
4KB
-
memory/3712-141-0x0000000007AD0000-0x0000000007AD1000-memory.dmpFilesize
4KB
-
memory/3712-142-0x0000000008B20000-0x0000000008B21000-memory.dmpFilesize
4KB
-
memory/3712-143-0x0000000009220000-0x0000000009221000-memory.dmpFilesize
4KB
-
memory/4036-124-0x0000000000000000-mapping.dmp
-
memory/4036-128-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB