Analysis
-
max time kernel
73s -
max time network
75s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06-05-2021 21:01
Static task
static1
Behavioral task
behavioral1
Sample
117E4E3F1B6EDAE6745F82CF072008F1.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
117E4E3F1B6EDAE6745F82CF072008F1.exe
Resource
win10v20210410
General
-
Target
117E4E3F1B6EDAE6745F82CF072008F1.exe
-
Size
1.0MB
-
MD5
117e4e3f1b6edae6745f82cf072008f1
-
SHA1
62bcde8f6c592a4be16b0d0feeb5fa2df13b0619
-
SHA256
3f3ce1f91c8f439a2c903fa08544b08e21704a53c3ab260d3a0b8d3dea425020
-
SHA512
f7e5ee09daf8e52729feb9259457659f0575f6695842611c01e327b8e70d7a10bc9901662fecb28a1c8b35ac57e86bd92f4a93d4fcca203f24502255274223c1
Malware Config
Extracted
redline
9874
nshoreyle.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1160-79-0x0000000000090000-0x00000000000AC000-memory.dmp family_redline behavioral1/memory/1160-84-0x0000000000090000-0x00000000000AC000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
Sta.exe.comSta.exe.comRegAsm.exepid process 1800 Sta.exe.com 400 Sta.exe.com 1160 RegAsm.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exeSta.exe.comRegAsm.exepid process 108 cmd.exe 400 Sta.exe.com 1160 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Sta.exe.comdescription pid process target process PID 400 set thread context of 1160 400 Sta.exe.com RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegAsm.exepid process 1160 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1160 RegAsm.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
117E4E3F1B6EDAE6745F82CF072008F1.execmd.execmd.exeSta.exe.comSta.exe.comdescription pid process target process PID 1840 wrote to memory of 620 1840 117E4E3F1B6EDAE6745F82CF072008F1.exe cmd.exe PID 1840 wrote to memory of 620 1840 117E4E3F1B6EDAE6745F82CF072008F1.exe cmd.exe PID 1840 wrote to memory of 620 1840 117E4E3F1B6EDAE6745F82CF072008F1.exe cmd.exe PID 1840 wrote to memory of 620 1840 117E4E3F1B6EDAE6745F82CF072008F1.exe cmd.exe PID 620 wrote to memory of 108 620 cmd.exe cmd.exe PID 620 wrote to memory of 108 620 cmd.exe cmd.exe PID 620 wrote to memory of 108 620 cmd.exe cmd.exe PID 620 wrote to memory of 108 620 cmd.exe cmd.exe PID 108 wrote to memory of 1620 108 cmd.exe findstr.exe PID 108 wrote to memory of 1620 108 cmd.exe findstr.exe PID 108 wrote to memory of 1620 108 cmd.exe findstr.exe PID 108 wrote to memory of 1620 108 cmd.exe findstr.exe PID 108 wrote to memory of 1800 108 cmd.exe Sta.exe.com PID 108 wrote to memory of 1800 108 cmd.exe Sta.exe.com PID 108 wrote to memory of 1800 108 cmd.exe Sta.exe.com PID 108 wrote to memory of 1800 108 cmd.exe Sta.exe.com PID 108 wrote to memory of 1696 108 cmd.exe PING.EXE PID 108 wrote to memory of 1696 108 cmd.exe PING.EXE PID 108 wrote to memory of 1696 108 cmd.exe PING.EXE PID 108 wrote to memory of 1696 108 cmd.exe PING.EXE PID 1800 wrote to memory of 400 1800 Sta.exe.com Sta.exe.com PID 1800 wrote to memory of 400 1800 Sta.exe.com Sta.exe.com PID 1800 wrote to memory of 400 1800 Sta.exe.com Sta.exe.com PID 1800 wrote to memory of 400 1800 Sta.exe.com Sta.exe.com PID 400 wrote to memory of 1160 400 Sta.exe.com RegAsm.exe PID 400 wrote to memory of 1160 400 Sta.exe.com RegAsm.exe PID 400 wrote to memory of 1160 400 Sta.exe.com RegAsm.exe PID 400 wrote to memory of 1160 400 Sta.exe.com RegAsm.exe PID 400 wrote to memory of 1160 400 Sta.exe.com RegAsm.exe PID 400 wrote to memory of 1160 400 Sta.exe.com RegAsm.exe PID 400 wrote to memory of 1160 400 Sta.exe.com RegAsm.exe PID 400 wrote to memory of 1160 400 Sta.exe.com RegAsm.exe PID 400 wrote to memory of 1160 400 Sta.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\117E4E3F1B6EDAE6745F82CF072008F1.exe"C:\Users\Admin\AppData\Local\Temp\117E4E3F1B6EDAE6745F82CF072008F1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c OjTdveCmOYGkwPuVcKiZNQpZgITQtdpOakAXUzIiXgaubigrkVRWUyRXrTwOpLxnOSSPfoqweZenbeCixQFpnhThxCU & cmd < Dai.mp42⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^aUkEmTrtPLftfXTJGsUJbGeamVtEFfQQoaHhAtLwnlFklwqAGOsXaZfLRTyEPmnAVmVWfGoBFTljwRobUEYRXSbprWcHZikZLyfKutlqFQanPeKqKIJkAHDewMTzlACbHlBV$" Lancio.mp44⤵
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.comSta.exe.com x4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.comC:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.com x5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exeC:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Dai.mp4MD5
0e56f66476f6e3a85190704a7e046982
SHA1750712070aa3c7daf4b7a0b4c5e8af24f6f985d1
SHA2561e20974b76c4bb90a87c81baa20c8c53884ae2aa785049a2746b3ba674abcfe6
SHA5120e6a82d8418deae83fd0359ef528c2b1a40c8ea44b9e6a6a5800552b30ffb28c558f30b768bed19f4d093329ca3f0cd0bc35d7f2583a1215e3dc0be1206a31d8
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Dov.mp4MD5
e285cd820751c970d433c30be18f9b1f
SHA198f29b363800196529e365e2aaf9b19412b9a444
SHA2569e41888516b60390bcfed7d9e5ebed0425e759472629741a766cc9f6071bd3e3
SHA512938de25e5f6bf1a7d5eb3212232899eb38184104bea0d5205fa9bdbd3ed2e848a6b32816b865c14539af3461a9c8ea7ff61021a7b7dcd731026d43322133dee7
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Lancio.mp4MD5
6766c39c9986df037b4a80c79cb6bb57
SHA1dda7df5e57484eb7c9b976a0554e2dc720689d20
SHA256b970d4b3e1a03fded470a637d2adcddff6c7e2b933241fa22c626d46dabc2c47
SHA512824791e911cae758a437bcb32eb8389bd8963c4b5a53751bf5d8fb59fbb91dfbc5a3ddd796f5bae971099bd812c576a3620a9626727ce0cfe1db1f95e603eb1f
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Vedremo.mp4MD5
f38303433bf6beb49dcde52b2f19af65
SHA16f71a3cc54e96cdc326f5f1e4677d19e1357a1c5
SHA256ccb312ffe82d736ee2ca37bc89c665b6817b155766d1753d0dd70a8af1727d5e
SHA5128092a35a3eccedef93cdf0ef6a1502f5c490b481a024db7565c53f45bbc011f7c98c346735c3828c4d83909635725411f9e9d3c7fd0b87d0886f7d5d3502130a
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\xMD5
f38303433bf6beb49dcde52b2f19af65
SHA16f71a3cc54e96cdc326f5f1e4677d19e1357a1c5
SHA256ccb312ffe82d736ee2ca37bc89c665b6817b155766d1753d0dd70a8af1727d5e
SHA5128092a35a3eccedef93cdf0ef6a1502f5c490b481a024db7565c53f45bbc011f7c98c346735c3828c4d83909635725411f9e9d3c7fd0b87d0886f7d5d3502130a
-
\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
memory/108-63-0x0000000000000000-mapping.dmp
-
memory/400-78-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/400-73-0x0000000000000000-mapping.dmp
-
memory/620-61-0x0000000000000000-mapping.dmp
-
memory/1160-79-0x0000000000090000-0x00000000000AC000-memory.dmpFilesize
112KB
-
memory/1160-84-0x0000000000090000-0x00000000000AC000-memory.dmpFilesize
112KB
-
memory/1160-86-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/1620-64-0x0000000000000000-mapping.dmp
-
memory/1696-70-0x0000000000000000-mapping.dmp
-
memory/1800-68-0x0000000000000000-mapping.dmp
-
memory/1840-60-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB