Analysis
-
max time kernel
35s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-06-2021 06:38
Static task
static1
Behavioral task
behavioral1
Sample
ce25050ecae70706d0e7b33d5304ab6b.exe
Resource
win7v20210410
General
-
Target
ce25050ecae70706d0e7b33d5304ab6b.exe
-
Size
659KB
-
MD5
ce25050ecae70706d0e7b33d5304ab6b
-
SHA1
f1cb237e6daa21a01f9a6492495b8370625ef9f5
-
SHA256
acd3e84a50002f93f4f6f3f98b4f0ec25e60889df8e0f15bfff55ddf089cb5c0
-
SHA512
2be1cef57dff89191d7a4cb1b7b93a6036f6e7a2421568e318bf0103230664fbc690a0acb5c4708e9f7a7ba82d85559f0c6fe014c0dc1f8501d6b96099e3db2d
Malware Config
Extracted
redline
MIX 08.06
185.215.113.17:18597
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/196-122-0x00000000022B0000-0x00000000022CA000-memory.dmp family_redline behavioral2/memory/196-124-0x00000000024A0000-0x00000000024B9000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
edspolishpp.exepid process 196 edspolishpp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ce25050ecae70706d0e7b33d5304ab6b.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ce25050ecae70706d0e7b33d5304ab6b.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ce25050ecae70706d0e7b33d5304ab6b.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
edspolishpp.exepid process 196 edspolishpp.exe 196 edspolishpp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
edspolishpp.exedescription pid process Token: SeDebugPrivilege 196 edspolishpp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ce25050ecae70706d0e7b33d5304ab6b.exedescription pid process target process PID 3932 wrote to memory of 196 3932 ce25050ecae70706d0e7b33d5304ab6b.exe edspolishpp.exe PID 3932 wrote to memory of 196 3932 ce25050ecae70706d0e7b33d5304ab6b.exe edspolishpp.exe PID 3932 wrote to memory of 196 3932 ce25050ecae70706d0e7b33d5304ab6b.exe edspolishpp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce25050ecae70706d0e7b33d5304ab6b.exe"C:\Users\Admin\AppData\Local\Temp\ce25050ecae70706d0e7b33d5304ab6b.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exeedspolishpp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:196
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b5e7e1fd00e34e49999f5b60286cd7aa
SHA13321f734fcf156bca17c7faadc7fe863a44fe849
SHA256ec3c9e1878a43c6f5d7c0c5fd98ba61ca5e4d4ceae6ce3c7693e4c3a3c8283fe
SHA5121e01e673aa1fa59a2ce5ddc9148ba15041dee4f00a83021bda32a9a60e27131098f57a69e27b306706e63e2ed0a96fe7d8c765942a3119d718c7afdc0f802e8c
-
MD5
b5e7e1fd00e34e49999f5b60286cd7aa
SHA13321f734fcf156bca17c7faadc7fe863a44fe849
SHA256ec3c9e1878a43c6f5d7c0c5fd98ba61ca5e4d4ceae6ce3c7693e4c3a3c8283fe
SHA5121e01e673aa1fa59a2ce5ddc9148ba15041dee4f00a83021bda32a9a60e27131098f57a69e27b306706e63e2ed0a96fe7d8c765942a3119d718c7afdc0f802e8c