Overview

overview

10

Static

static

a4f4b5daa8...34.exe

windows7_x64

10

a4f4b5daa8...34.exe

windows10_x64

10

Analysis

  • max time kernel
    21s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    22-07-2021 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4f4b5daa83bb6dc85ede588ffbfdb34.exe

  • Size

    212KB

  • MD5

    a4f4b5daa83bb6dc85ede588ffbfdb34

  • SHA1

    9bbaac140fa643d30bf25af71561f5ee35874898

  • SHA256

    f61201b7b85a410a62c1f1946095b3feabb6e672fb8ddc0c64789a02ae9a06f4

  • SHA512

    b4f436bd64384d767109d04eea6f3f5ad192c4f1e71cc31a88ba4ac78ef97da3ef1aaade388dfc9240c38e386993e9dc21803554db8513f0ed7ebe00ee248624

Score
10/10
redlinediscoveryinfostealerspywarestealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4f4b5daa83bb6dc85ede588ffbfdb34.exe
    "C:\Users\Admin\AppData\Local\Temp\a4f4b5daa83bb6dc85ede588ffbfdb34.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3728
    • C:\Users\Admin\AppData\Roaming\3805112.exe
      "C:\Users\Admin\AppData\Roaming\3805112.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3200
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 3200 -s 2136
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2128
    • C:\Users\Admin\AppData\Roaming\2217218.exe
      "C:\Users\Admin\AppData\Roaming\2217218.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2524

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\2217218.exe
    MD5

    52be91bb8576b57551f38cf98bd984cc

    SHA1

    d4b25085ae85e7b4edc2db2f77e4108fd7345fc1

    SHA256

    2eff8b37b39a5384bf9a3732bd7395af3430bd36eafdad4ba5cec6f707cdd680

    SHA512

    f648be8d881ba47b87544327843add140cc4142ab7fac89cd87d3c79bed23524d7b40e35fd0c65a8c50a62c4e4f32d9a1681b3e043ea882bbfc46425891011b1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\2217218.exe
    MD5

    52be91bb8576b57551f38cf98bd984cc

    SHA1

    d4b25085ae85e7b4edc2db2f77e4108fd7345fc1

    SHA256

    2eff8b37b39a5384bf9a3732bd7395af3430bd36eafdad4ba5cec6f707cdd680

    SHA512

    f648be8d881ba47b87544327843add140cc4142ab7fac89cd87d3c79bed23524d7b40e35fd0c65a8c50a62c4e4f32d9a1681b3e043ea882bbfc46425891011b1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\3805112.exe
    MD5

    a37b1548c0985ae8a2763cf6d1b39c80

    SHA1

    02fc37e10be4d933c05ee52d5363bee65fb914a6

    SHA256

    8c31f3d89d2123272c1167ad1e929aa685d4065a5f334f651d4c09c0e291e986

    SHA512

    89f7b6b7a8f6136854bd217ac6d9170575621a66bf42f51105354ab2419ed4a4df041e94eab64ec171b2c5bbb5dbe13f5f52cb137c38c6c1758508a3fc347bb9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\3805112.exe
    MD5

    a37b1548c0985ae8a2763cf6d1b39c80

    SHA1

    02fc37e10be4d933c05ee52d5363bee65fb914a6

    SHA256

    8c31f3d89d2123272c1167ad1e929aa685d4065a5f334f651d4c09c0e291e986

    SHA512

    89f7b6b7a8f6136854bd217ac6d9170575621a66bf42f51105354ab2419ed4a4df041e94eab64ec171b2c5bbb5dbe13f5f52cb137c38c6c1758508a3fc347bb9

    Download Submit

  • memory/2524-132-0x00000000006F0000-0x00000000006F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-140-0x00000000076F0000-0x00000000076F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-145-0x0000000008F70000-0x0000000008F71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-144-0x0000000009CA0000-0x0000000009CA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-134-0x00000000073B0000-0x00000000073E2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2524-143-0x0000000008D40000-0x0000000008D41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-125-0x0000000000000000-mapping.dmp

    Download

  • memory/2524-135-0x0000000007A70000-0x0000000007A71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-142-0x0000000009270000-0x0000000009271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-141-0x0000000008B70000-0x0000000008B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-139-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-138-0x0000000007560000-0x0000000007561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-137-0x0000000007520000-0x0000000007521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-136-0x00000000074C0000-0x00000000074C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3200-123-0x00000000006C0000-0x00000000006C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3200-131-0x0000000000D30000-0x0000000000D32000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3200-120-0x0000000000000000-mapping.dmp

    Download

  • memory/3200-129-0x0000000000D20000-0x0000000000D21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3200-128-0x0000000000D40000-0x0000000000D90000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3200-126-0x0000000000D10000-0x0000000000D11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3728-117-0x00000000024A0000-0x00000000024C3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/3728-118-0x0000000000B70000-0x0000000000B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3728-116-0x0000000000890000-0x0000000000891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3728-114-0x0000000000430000-0x0000000000431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3728-119-0x000000001B0D0000-0x000000001B0D2000-memory.dmp

    Filesize

    8KB

    Download