Analysis
-
max time kernel
44s -
max time network
46s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-05-2021 10:02
Static task
static1
Behavioral task
behavioral1
Sample
49025966d2dd612fc1e423b01620debfd4c97701aefe2.exe
Resource
win7v20210410
General
-
Target
49025966d2dd612fc1e423b01620debfd4c97701aefe2.exe
-
Size
1.0MB
-
MD5
d6109df4ffa4303e3c30ba997735b689
-
SHA1
65ac8413b14d7ccb6c848e849caa0de7900116ee
-
SHA256
49025966d2dd612fc1e423b01620debfd4c97701aefe26a836cea9e2f2d6ab47
-
SHA512
5e735b12e77ab991c9d54b701645268579f154573aa8a04d8bf2cdb5ed59d3a8ede9f5e55cbce848cd5323fa1e6b3950d12ec5bb7a0bebb403d3711979e1cc8b
Malware Config
Extracted
redline
1111
65.21.144.202:62942
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/1184-81-0x00000000001D0000-0x00000000001EC000-memory.dmp family_redline behavioral1/memory/1184-86-0x00000000001D0000-0x00000000001EC000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 1696 Immobilita.exe.com 1400 Immobilita.exe.com 1184 RegAsm.exe -
Loads dropped DLL 4 IoCs
pid Process 1796 cmd.exe 1696 Immobilita.exe.com 1400 Immobilita.exe.com 1184 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1400 set thread context of 1184 1400 Immobilita.exe.com 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1536 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1184 RegAsm.exe 1184 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1184 RegAsm.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1084 wrote to memory of 1844 1084 49025966d2dd612fc1e423b01620debfd4c97701aefe2.exe 26 PID 1084 wrote to memory of 1844 1084 49025966d2dd612fc1e423b01620debfd4c97701aefe2.exe 26 PID 1084 wrote to memory of 1844 1084 49025966d2dd612fc1e423b01620debfd4c97701aefe2.exe 26 PID 1084 wrote to memory of 1844 1084 49025966d2dd612fc1e423b01620debfd4c97701aefe2.exe 26 PID 1844 wrote to memory of 1796 1844 cmd.exe 28 PID 1844 wrote to memory of 1796 1844 cmd.exe 28 PID 1844 wrote to memory of 1796 1844 cmd.exe 28 PID 1844 wrote to memory of 1796 1844 cmd.exe 28 PID 1796 wrote to memory of 1816 1796 cmd.exe 29 PID 1796 wrote to memory of 1816 1796 cmd.exe 29 PID 1796 wrote to memory of 1816 1796 cmd.exe 29 PID 1796 wrote to memory of 1816 1796 cmd.exe 29 PID 1796 wrote to memory of 1696 1796 cmd.exe 30 PID 1796 wrote to memory of 1696 1796 cmd.exe 30 PID 1796 wrote to memory of 1696 1796 cmd.exe 30 PID 1796 wrote to memory of 1696 1796 cmd.exe 30 PID 1796 wrote to memory of 1536 1796 cmd.exe 31 PID 1796 wrote to memory of 1536 1796 cmd.exe 31 PID 1796 wrote to memory of 1536 1796 cmd.exe 31 PID 1796 wrote to memory of 1536 1796 cmd.exe 31 PID 1696 wrote to memory of 1400 1696 Immobilita.exe.com 32 PID 1696 wrote to memory of 1400 1696 Immobilita.exe.com 32 PID 1696 wrote to memory of 1400 1696 Immobilita.exe.com 32 PID 1696 wrote to memory of 1400 1696 Immobilita.exe.com 32 PID 1400 wrote to memory of 1184 1400 Immobilita.exe.com 36 PID 1400 wrote to memory of 1184 1400 Immobilita.exe.com 36 PID 1400 wrote to memory of 1184 1400 Immobilita.exe.com 36 PID 1400 wrote to memory of 1184 1400 Immobilita.exe.com 36 PID 1400 wrote to memory of 1184 1400 Immobilita.exe.com 36 PID 1400 wrote to memory of 1184 1400 Immobilita.exe.com 36 PID 1400 wrote to memory of 1184 1400 Immobilita.exe.com 36 PID 1400 wrote to memory of 1184 1400 Immobilita.exe.com 36 PID 1400 wrote to memory of 1184 1400 Immobilita.exe.com 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\49025966d2dd612fc1e423b01620debfd4c97701aefe2.exe"C:\Users\Admin\AppData\Local\Temp\49025966d2dd612fc1e423b01620debfd4c97701aefe2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Convertira.xls2⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^UNkJJcORLwTPMDHRmEAwfHRFAGvpIPVddQfdtvAkCrkhWSsYbERcArMjWGpeZEpVyDnVgdMrrgnjcDIHfb$" Dio.xls4⤵PID:1816
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Immobilita.exe.comImmobilita.exe.com b4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Immobilita.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Immobilita.exe.com b5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
PID:1536
-
-
-