Analysis
-
max time kernel
95s -
max time network
95s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
28-04-2021 04:37
Static task
static1
Behavioral task
behavioral1
Sample
skipper.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
skipper.exe
Resource
win10v20210410
General
-
Target
skipper.exe
-
Size
1.1MB
-
MD5
dba8101da0c11a3026fbd7278f28f977
-
SHA1
0f17ce1e24adfe2386e6e25c68100749e5d79dbb
-
SHA256
83b897270a955267f21de7462bdbe05910e48825ef79cc8ae142713f925fb802
-
SHA512
f912e8a79c3a0275b57fd2b652fc92ccd5c7595ef329331f14a0529c109d7e72482ef98929a539b89516a972b8b455484a56d1ca20c5ba5dcea3b49c699b3a21
Malware Config
Extracted
redline
EUU
download3.info:80
Extracted
redline
1414
188.119.112.16:46409
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1664-69-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral1/memory/1664-70-0x00000000004171EE-mapping.dmp family_redline behavioral1/memory/1664-71-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral1/memory/1736-82-0x0000000000400000-0x0000000000430000-memory.dmp family_redline behavioral1/memory/1736-83-0x000000000042977E-mapping.dmp family_redline behavioral1/memory/1736-84-0x0000000000400000-0x0000000000430000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
761647212.exe381717225.exepid process 296 761647212.exe 588 381717225.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1120 cmd.exe -
Loads dropped DLL 4 IoCs
Processes:
skipper.exepid process 1996 skipper.exe 1996 skipper.exe 1996 skipper.exe 1996 skipper.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
761647212.exe381717225.exedescription pid process target process PID 296 set thread context of 1664 296 761647212.exe AddInProcess32.exe PID 588 set thread context of 1736 588 381717225.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
skipper.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 skipper.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 skipper.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
AddInProcess32.exeAddInProcess32.exepid process 1664 AddInProcess32.exe 1664 AddInProcess32.exe 1736 AddInProcess32.exe 1736 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
761647212.exeAddInProcess32.exe381717225.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 296 761647212.exe Token: SeDebugPrivilege 1664 AddInProcess32.exe Token: SeDebugPrivilege 588 381717225.exe Token: SeDebugPrivilege 1736 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
skipper.exe761647212.exe381717225.execmd.exedescription pid process target process PID 1996 wrote to memory of 296 1996 skipper.exe 761647212.exe PID 1996 wrote to memory of 296 1996 skipper.exe 761647212.exe PID 1996 wrote to memory of 296 1996 skipper.exe 761647212.exe PID 1996 wrote to memory of 296 1996 skipper.exe 761647212.exe PID 296 wrote to memory of 1664 296 761647212.exe AddInProcess32.exe PID 296 wrote to memory of 1664 296 761647212.exe AddInProcess32.exe PID 296 wrote to memory of 1664 296 761647212.exe AddInProcess32.exe PID 296 wrote to memory of 1664 296 761647212.exe AddInProcess32.exe PID 296 wrote to memory of 1664 296 761647212.exe AddInProcess32.exe PID 296 wrote to memory of 1664 296 761647212.exe AddInProcess32.exe PID 296 wrote to memory of 1664 296 761647212.exe AddInProcess32.exe PID 296 wrote to memory of 1664 296 761647212.exe AddInProcess32.exe PID 296 wrote to memory of 1664 296 761647212.exe AddInProcess32.exe PID 1996 wrote to memory of 588 1996 skipper.exe 381717225.exe PID 1996 wrote to memory of 588 1996 skipper.exe 381717225.exe PID 1996 wrote to memory of 588 1996 skipper.exe 381717225.exe PID 1996 wrote to memory of 588 1996 skipper.exe 381717225.exe PID 588 wrote to memory of 1944 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1944 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1944 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1944 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1944 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1944 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1944 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1944 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1944 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1736 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1736 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1736 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1736 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1736 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1736 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1736 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1736 588 381717225.exe AddInProcess32.exe PID 588 wrote to memory of 1736 588 381717225.exe AddInProcess32.exe PID 1996 wrote to memory of 1120 1996 skipper.exe cmd.exe PID 1996 wrote to memory of 1120 1996 skipper.exe cmd.exe PID 1996 wrote to memory of 1120 1996 skipper.exe cmd.exe PID 1996 wrote to memory of 1120 1996 skipper.exe cmd.exe PID 1120 wrote to memory of 1868 1120 cmd.exe PING.EXE PID 1120 wrote to memory of 1868 1120 cmd.exe PING.EXE PID 1120 wrote to memory of 1868 1120 cmd.exe PING.EXE PID 1120 wrote to memory of 1868 1120 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\skipper.exe"C:\Users\Admin\AppData\Local\Temp\skipper.exe"1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\761647212.exeC:\Users\Admin\AppData\Local\Temp\761647212.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\381717225.exeC:\Users\Admin\AppData\Local\Temp\381717225.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\skipper.exe & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 03⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
c5f5c1945050533213bb5e8e4761f386
SHA14ed24284e148697704d9a684628eeeeb881e8591
SHA256df71712a0aa059f341d74b4228be7b31775773f2126735964bd624c383b70865
SHA5120f1c9f22b9f3a734df1ce3c0677a8ffa2fe38d26c8adb76eb368528a36fecc534c70658dc4972c2126bab7ae7cf703ed4f752f4539120a91b20c86a6a63226d3
-
C:\Users\Admin\AppData\Local\Temp\381717225.exeMD5
cca6e302974f8ad2cf237cbb402f7db8
SHA182483651f9c152a2ccf0a7f6a348c14daf73ccfc
SHA25612da3023f88f28c58bfa10a19cf70481e263bed0ae9bd393369e6ed9b7971827
SHA512cad0b4afd348085070f4a786bdcd62a5d01ca3413f07315956c09489b3ca92e09a893bc1960d25c9a650eeb3d0c4395a1b47d0562b359285794d9e4c0929ae87
-
C:\Users\Admin\AppData\Local\Temp\381717225.exeMD5
cca6e302974f8ad2cf237cbb402f7db8
SHA182483651f9c152a2ccf0a7f6a348c14daf73ccfc
SHA25612da3023f88f28c58bfa10a19cf70481e263bed0ae9bd393369e6ed9b7971827
SHA512cad0b4afd348085070f4a786bdcd62a5d01ca3413f07315956c09489b3ca92e09a893bc1960d25c9a650eeb3d0c4395a1b47d0562b359285794d9e4c0929ae87
-
C:\Users\Admin\AppData\Local\Temp\761647212.exeMD5
d51901e3386120269c6b08fcaa3816e7
SHA16b0a36ce8cb5390d4d53800e4bf5281fb0eb5d7e
SHA256afd25aff257a6b31a2377b9633a0f4227da3112976c749c34858d85436d0af5a
SHA5125639773bca6fdeefe91ca58776758c1abd2a8a67824365dd0140800ddaa3935dcd4568eeebe8163f564e8d3754bce65b339163a230bd7d17b5c6e16eb5c345f5
-
C:\Users\Admin\AppData\Local\Temp\761647212.exeMD5
d51901e3386120269c6b08fcaa3816e7
SHA16b0a36ce8cb5390d4d53800e4bf5281fb0eb5d7e
SHA256afd25aff257a6b31a2377b9633a0f4227da3112976c749c34858d85436d0af5a
SHA5125639773bca6fdeefe91ca58776758c1abd2a8a67824365dd0140800ddaa3935dcd4568eeebe8163f564e8d3754bce65b339163a230bd7d17b5c6e16eb5c345f5
-
\Users\Admin\AppData\Local\Temp\381717225.exeMD5
cca6e302974f8ad2cf237cbb402f7db8
SHA182483651f9c152a2ccf0a7f6a348c14daf73ccfc
SHA25612da3023f88f28c58bfa10a19cf70481e263bed0ae9bd393369e6ed9b7971827
SHA512cad0b4afd348085070f4a786bdcd62a5d01ca3413f07315956c09489b3ca92e09a893bc1960d25c9a650eeb3d0c4395a1b47d0562b359285794d9e4c0929ae87
-
\Users\Admin\AppData\Local\Temp\381717225.exeMD5
cca6e302974f8ad2cf237cbb402f7db8
SHA182483651f9c152a2ccf0a7f6a348c14daf73ccfc
SHA25612da3023f88f28c58bfa10a19cf70481e263bed0ae9bd393369e6ed9b7971827
SHA512cad0b4afd348085070f4a786bdcd62a5d01ca3413f07315956c09489b3ca92e09a893bc1960d25c9a650eeb3d0c4395a1b47d0562b359285794d9e4c0929ae87
-
\Users\Admin\AppData\Local\Temp\761647212.exeMD5
d51901e3386120269c6b08fcaa3816e7
SHA16b0a36ce8cb5390d4d53800e4bf5281fb0eb5d7e
SHA256afd25aff257a6b31a2377b9633a0f4227da3112976c749c34858d85436d0af5a
SHA5125639773bca6fdeefe91ca58776758c1abd2a8a67824365dd0140800ddaa3935dcd4568eeebe8163f564e8d3754bce65b339163a230bd7d17b5c6e16eb5c345f5
-
\Users\Admin\AppData\Local\Temp\761647212.exeMD5
d51901e3386120269c6b08fcaa3816e7
SHA16b0a36ce8cb5390d4d53800e4bf5281fb0eb5d7e
SHA256afd25aff257a6b31a2377b9633a0f4227da3112976c749c34858d85436d0af5a
SHA5125639773bca6fdeefe91ca58776758c1abd2a8a67824365dd0140800ddaa3935dcd4568eeebe8163f564e8d3754bce65b339163a230bd7d17b5c6e16eb5c345f5
-
memory/296-65-0x0000000001200000-0x0000000001201000-memory.dmpFilesize
4KB
-
memory/296-62-0x0000000000000000-mapping.dmp
-
memory/296-67-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/588-81-0x00000000048A0000-0x00000000048A1000-memory.dmpFilesize
4KB
-
memory/588-75-0x0000000000000000-mapping.dmp
-
memory/588-78-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/1120-86-0x0000000000000000-mapping.dmp
-
memory/1664-80-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/1664-70-0x00000000004171EE-mapping.dmp
-
memory/1664-69-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1664-71-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1736-82-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1736-83-0x000000000042977E-mapping.dmp
-
memory/1736-84-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1736-88-0x0000000004170000-0x0000000004171000-memory.dmpFilesize
4KB
-
memory/1868-87-0x0000000000000000-mapping.dmp
-
memory/1996-59-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB