Analysis
-
max time kernel
47s -
max time network
42s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-05-2021 12:16
Static task
static1
Behavioral task
behavioral1
Sample
FAD165B5BA7DDB0389733F6B979EAE3E.exe
Resource
win7v20210408
General
-
Target
FAD165B5BA7DDB0389733F6B979EAE3E.exe
-
Size
2.4MB
-
MD5
fad165b5ba7ddb0389733f6b979eae3e
-
SHA1
e3641696b0cb2137501ad51501225ee79757ba2b
-
SHA256
328c5eb8908b83c474ab4ab892ac1c2cae066f1f55dbcd15d850b54cc0f4c3cc
-
SHA512
621ba451d47acb409ce309322236ce53c4dd514a40ece5cb3beaf509ce9241bf410e792efea2d2435d7fb0c87b2ee3c649f9a8274e0e852b534e1263954a95fc
Malware Config
Extracted
redline
@Osix7
briaseynan.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1696-62-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral1/memory/1696-63-0x00000000004171EA-mapping.dmp family_redline behavioral1/memory/1696-64-0x0000000000400000-0x000000000041C000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
build2.exepid process 660 build2.exe -
Loads dropped DLL 1 IoCs
Processes:
AddInProcess32.exepid process 1696 AddInProcess32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 icanhazip.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FAD165B5BA7DDB0389733F6B979EAE3E.exedescription pid process target process PID 1832 set thread context of 1696 1832 FAD165B5BA7DDB0389733F6B979EAE3E.exe AddInProcess32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 240 660 WerFault.exe build2.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
AddInProcess32.exebuild2.exeWerFault.exepid process 1696 AddInProcess32.exe 1696 AddInProcess32.exe 660 build2.exe 660 build2.exe 240 WerFault.exe 240 WerFault.exe 240 WerFault.exe 240 WerFault.exe 240 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
FAD165B5BA7DDB0389733F6B979EAE3E.exeAddInProcess32.exebuild2.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1832 FAD165B5BA7DDB0389733F6B979EAE3E.exe Token: SeDebugPrivilege 1696 AddInProcess32.exe Token: SeDebugPrivilege 660 build2.exe Token: SeDebugPrivilege 240 WerFault.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
FAD165B5BA7DDB0389733F6B979EAE3E.exeAddInProcess32.exebuild2.exedescription pid process target process PID 1832 wrote to memory of 1696 1832 FAD165B5BA7DDB0389733F6B979EAE3E.exe AddInProcess32.exe PID 1832 wrote to memory of 1696 1832 FAD165B5BA7DDB0389733F6B979EAE3E.exe AddInProcess32.exe PID 1832 wrote to memory of 1696 1832 FAD165B5BA7DDB0389733F6B979EAE3E.exe AddInProcess32.exe PID 1832 wrote to memory of 1696 1832 FAD165B5BA7DDB0389733F6B979EAE3E.exe AddInProcess32.exe PID 1832 wrote to memory of 1696 1832 FAD165B5BA7DDB0389733F6B979EAE3E.exe AddInProcess32.exe PID 1832 wrote to memory of 1696 1832 FAD165B5BA7DDB0389733F6B979EAE3E.exe AddInProcess32.exe PID 1832 wrote to memory of 1696 1832 FAD165B5BA7DDB0389733F6B979EAE3E.exe AddInProcess32.exe PID 1832 wrote to memory of 1696 1832 FAD165B5BA7DDB0389733F6B979EAE3E.exe AddInProcess32.exe PID 1832 wrote to memory of 1696 1832 FAD165B5BA7DDB0389733F6B979EAE3E.exe AddInProcess32.exe PID 1696 wrote to memory of 660 1696 AddInProcess32.exe build2.exe PID 1696 wrote to memory of 660 1696 AddInProcess32.exe build2.exe PID 1696 wrote to memory of 660 1696 AddInProcess32.exe build2.exe PID 1696 wrote to memory of 660 1696 AddInProcess32.exe build2.exe PID 660 wrote to memory of 240 660 build2.exe WerFault.exe PID 660 wrote to memory of 240 660 build2.exe WerFault.exe PID 660 wrote to memory of 240 660 build2.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FAD165B5BA7DDB0389733F6B979EAE3E.exe"C:\Users\Admin\AppData\Local\Temp\FAD165B5BA7DDB0389733F6B979EAE3E.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\build2.exe"C:\Users\Admin\AppData\Roaming\build2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 660 -s 10884⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\build2.exeMD5
cdb973a5c06fbf67dc48d359239a3b89
SHA14562d1c5c799a2d37a4700733fa165e0ba6bfc08
SHA256630a85d082105029c1f4962acea125d2dd7da277c060ee51544f748a58d0daaf
SHA5125836db643318abca0eab5a0f93fc2268afdb5b29c9009d136119182751b6df6eeeb2afba7013dde59acfd85b330742b6fe549aecff3447b66d5ddf8ba2021ea9
-
C:\Users\Admin\AppData\Roaming\build2.exeMD5
cdb973a5c06fbf67dc48d359239a3b89
SHA14562d1c5c799a2d37a4700733fa165e0ba6bfc08
SHA256630a85d082105029c1f4962acea125d2dd7da277c060ee51544f748a58d0daaf
SHA5125836db643318abca0eab5a0f93fc2268afdb5b29c9009d136119182751b6df6eeeb2afba7013dde59acfd85b330742b6fe549aecff3447b66d5ddf8ba2021ea9
-
\Users\Admin\AppData\Roaming\build2.exeMD5
cdb973a5c06fbf67dc48d359239a3b89
SHA14562d1c5c799a2d37a4700733fa165e0ba6bfc08
SHA256630a85d082105029c1f4962acea125d2dd7da277c060ee51544f748a58d0daaf
SHA5125836db643318abca0eab5a0f93fc2268afdb5b29c9009d136119182751b6df6eeeb2afba7013dde59acfd85b330742b6fe549aecff3447b66d5ddf8ba2021ea9
-
memory/240-74-0x0000000000000000-mapping.dmp
-
memory/240-75-0x000007FEFB681000-0x000007FEFB683000-memory.dmpFilesize
8KB
-
memory/240-76-0x0000000001BC0000-0x0000000001BC1000-memory.dmpFilesize
4KB
-
memory/660-68-0x0000000000000000-mapping.dmp
-
memory/660-71-0x0000000001170000-0x0000000001171000-memory.dmpFilesize
4KB
-
memory/660-73-0x000000001AFF0000-0x000000001AFF2000-memory.dmpFilesize
8KB
-
memory/1696-63-0x00000000004171EA-mapping.dmp
-
memory/1696-64-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1696-66-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/1696-62-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1832-59-0x0000000000DD0000-0x0000000000DD1000-memory.dmpFilesize
4KB
-
memory/1832-61-0x0000000004630000-0x0000000004631000-memory.dmpFilesize
4KB