Overview

overview

10

Static

static

22F9967C01...F5.exe

windows7_x64

10

22F9967C01...F5.exe

windows10_x64

10

Resubmissions

10-05-2021 10:26

210510-51q2zwvjce 10

Analysis

  • max time kernel
    104s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    10-05-2021 10:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22F9967C010BF3B752D56BCDEE846BF5.exe

  • Size

    612KB

  • MD5

    22f9967c010bf3b752d56bcdee846bf5

  • SHA1

    688b82c1eb648ee5eea04042da253d77c706f945

  • SHA256

    d8a12da66c3b95e1f2dc9c7e5667a5baf7dbdbbaff01f342222dc696c07455fa

  • SHA512

    b4dfd895af0f98de30d6446e847e3451c8d8fa7a6571aaac7db3c0fd40febc982e52035af709db3bba68b0e19037ee71443863b25ed3d5dcc13bb0375d69c3c6

Score
10/10
redlinesource1evasioninfostealerspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

source1

C2

199.195.251.96:43073

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • NTFS ADS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22F9967C010BF3B752D56BCDEE846BF5.exe
    "C:\Users\Admin\AppData\Local\Temp\22F9967C010BF3B752D56BCDEE846BF5.exe"
    1⤵
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1752
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1392 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • NTFS ADS
      • Suspicious use of SetWindowsHookEx
      PID:1520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    MD5

    15775d95513782f99cdfb17e65dfceb1

    SHA1

    6c11f8bee799b093f9ff4841e31041b081b23388

    SHA256

    477a9559194edf48848fce59e05105168745a46bdc0871ea742a2588ca9fbe00

    SHA512

    ac09ce01122d7a837bd70277badd58ff71d8c5335f8fc599d5e3ed42c8fee2108dd043bce562c82ba12a81b9b08bd24b961c0961bf8fd3a0b8341c87483cd1e7

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    d98cb8552065b3658e8abebd7e68bd07

    SHA1

    b09f5fc46adea26979b93146e0569913ab5e6032

    SHA256

    e0c1d5ab7b6c49bafc64ae2fb2dac8b11dad0114f12846002a5e78ab8e88f4b7

    SHA512

    4f245051f9c618ddf2d9a669dc86ea4e12715f9ddfc32373f0302af418d15e4bd162c0ad79e6850c19bf5b0fb5297ff94e08f03fca0085b0253bf5e4181caee2

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bq3gxmw\imagestore.dat
    MD5

    38490ded4809c90bf7b7c97d10ba957d

    SHA1

    a39a6e1fa97f98968b8d3530dba65ed201373412

    SHA256

    9cd22f3811293efbe9c93622424bccea44edfbd13074b5f2cc4f4069df00ab20

    SHA512

    88f4d4dc0515effb51d50e6e5ba9d3d6687836ce5b58ccfc75103c28d75244ae4b50d1e09c8572a2d454f1333cd76f1f3c46854f71e3617960ce99384a39965b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
    MD5

    b13e035f8c5c8c30c40033165017508e

    SHA1

    075cc57e58640fdde4cb8ac199d3b5978129ac14

    SHA256

    2a48eaec94fd1d0b2ae2b0d420d2ae8810d5ddd2b43018745725a2fa2c4d5e7b

    SHA512

    4bb837346d85ef16d442b89a77404c22c6654904fb0c839abb8477c99cc628b8bc17d7fa01271b05a53c3407fd596b764f50561543b3ef6bfc0e941488624d85

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
    MD5

    b13e035f8c5c8c30c40033165017508e

    SHA1

    075cc57e58640fdde4cb8ac199d3b5978129ac14

    SHA256

    2a48eaec94fd1d0b2ae2b0d420d2ae8810d5ddd2b43018745725a2fa2c4d5e7b

    SHA512

    4bb837346d85ef16d442b89a77404c22c6654904fb0c839abb8477c99cc628b8bc17d7fa01271b05a53c3407fd596b764f50561543b3ef6bfc0e941488624d85

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fdjf.url
    MD5

    9d9ad347b6cbae80d839491a1ff3b853

    SHA1

    9398f82b18fe29dd6eaabe393e66237ea1c01443

    SHA256

    27400afbd76148e9bfbe81ec80472feab65da6a52d8a70f3f9e2c09ca98a3dcd

    SHA512

    8bbaf79f2d90de33eb1de9382fc6f17c2239b4024c92d9aa0665db396aeb70e567671952d0f4eae28bdb709085d3a6244c1e490957734821ad158f7ee47a64dd

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TDOS9Q52.txt
    MD5

    c7bbca92602766e270fbe4527a16fa80

    SHA1

    0d836bab4c20eb9d3cde9432266bc45bcaf9e9fc

    SHA256

    c1d76add63230e5b516fd0b87174ecef85553398b224866bd9e41d1970702739

    SHA512

    7318cf599d59c33ae286761be4e52d1b2bcdee561acbd0aea0460d6c7616eb4bca8ac5d4a182b77970e024553c174a6ccf23aa819040be56b92579857e8bdc04

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
    MD5

    b13e035f8c5c8c30c40033165017508e

    SHA1

    075cc57e58640fdde4cb8ac199d3b5978129ac14

    SHA256

    2a48eaec94fd1d0b2ae2b0d420d2ae8810d5ddd2b43018745725a2fa2c4d5e7b

    SHA512

    4bb837346d85ef16d442b89a77404c22c6654904fb0c839abb8477c99cc628b8bc17d7fa01271b05a53c3407fd596b764f50561543b3ef6bfc0e941488624d85

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
    MD5

    b13e035f8c5c8c30c40033165017508e

    SHA1

    075cc57e58640fdde4cb8ac199d3b5978129ac14

    SHA256

    2a48eaec94fd1d0b2ae2b0d420d2ae8810d5ddd2b43018745725a2fa2c4d5e7b

    SHA512

    4bb837346d85ef16d442b89a77404c22c6654904fb0c839abb8477c99cc628b8bc17d7fa01271b05a53c3407fd596b764f50561543b3ef6bfc0e941488624d85

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
    MD5

    b13e035f8c5c8c30c40033165017508e

    SHA1

    075cc57e58640fdde4cb8ac199d3b5978129ac14

    SHA256

    2a48eaec94fd1d0b2ae2b0d420d2ae8810d5ddd2b43018745725a2fa2c4d5e7b

    SHA512

    4bb837346d85ef16d442b89a77404c22c6654904fb0c839abb8477c99cc628b8bc17d7fa01271b05a53c3407fd596b764f50561543b3ef6bfc0e941488624d85

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
    MD5

    b13e035f8c5c8c30c40033165017508e

    SHA1

    075cc57e58640fdde4cb8ac199d3b5978129ac14

    SHA256

    2a48eaec94fd1d0b2ae2b0d420d2ae8810d5ddd2b43018745725a2fa2c4d5e7b

    SHA512

    4bb837346d85ef16d442b89a77404c22c6654904fb0c839abb8477c99cc628b8bc17d7fa01271b05a53c3407fd596b764f50561543b3ef6bfc0e941488624d85

    Download Submit
  • memory/1392-77-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1520-78-0x0000000000000000-mapping.dmp
    Download
  • memory/1688-59-0x0000000075B31000-0x0000000075B33000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1752-76-0x0000000000A80000-0x0000000000A81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1752-74-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1752-72-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1752-73-0x00000000004163CE-mapping.dmp
    Download
  • memory/1996-71-0x0000000000BD0000-0x0000000000BE6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1996-70-0x0000000000740000-0x000000000077B000-memory.dmp
    Filesize

    236KB

    Download
  • memory/1996-69-0x0000000000350000-0x0000000000351000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-67-0x00000000011E0000-0x00000000011E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-64-0x0000000000000000-mapping.dmp
    Download