Analysis
-
max time kernel
144s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-07-2021 08:01
Static task
static1
Behavioral task
behavioral1
Sample
400ee0714dd95e2444a1242483027271.exe
Resource
win7v20210410
General
-
Target
400ee0714dd95e2444a1242483027271.exe
-
Size
594KB
-
MD5
400ee0714dd95e2444a1242483027271
-
SHA1
2eba3d61e364e8a40f187556c337809b92e06914
-
SHA256
f80044762635fc93a0b1f612664bd9b0b21fa0e88fd473b8f298d9726c43f9a8
-
SHA512
586f59447cd3109d8e64b0f53da1cc80c3ef89d8013ead6154a103f638e4539a20cbeb4ac5bfc96c8be87cde74dc3c6749c8f3e9cebf330eb903bdc5b9370d36
Malware Config
Extracted
redline
MIX 22.07
185.215.113.17:18597
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1364-121-0x0000000004940000-0x000000000495B000-memory.dmp family_redline behavioral2/memory/1364-124-0x0000000004D10000-0x0000000004D29000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
apineshpp.exepid process 1364 apineshpp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
400ee0714dd95e2444a1242483027271.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 400ee0714dd95e2444a1242483027271.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 400ee0714dd95e2444a1242483027271.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
apineshpp.exepid process 1364 apineshpp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
apineshpp.exedescription pid process Token: SeDebugPrivilege 1364 apineshpp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
400ee0714dd95e2444a1242483027271.exedescription pid process target process PID 3492 wrote to memory of 1364 3492 400ee0714dd95e2444a1242483027271.exe apineshpp.exe PID 3492 wrote to memory of 1364 3492 400ee0714dd95e2444a1242483027271.exe apineshpp.exe PID 3492 wrote to memory of 1364 3492 400ee0714dd95e2444a1242483027271.exe apineshpp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\400ee0714dd95e2444a1242483027271.exe"C:\Users\Admin\AppData\Local\Temp\400ee0714dd95e2444a1242483027271.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\closestep\apineshpp.exeapineshpp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\closestep\apineshpp.exeMD5
63f1959b30ea4591bb0b2f5961b36850
SHA126c0c9c14a48b61971d528c98906cb79c68936c4
SHA256f6ae1e90093fda0271db6d607a78af61c437253c3edd42019daf274c5369b8cb
SHA5124d1de859652c321a2f14115debc049f2a17f8bd99b3a05e4c64edce40ca34f66930429478414645c7055d97c0822b67804998fe94e835db2aaeda1de836ee186
-
C:\Users\Admin\AppData\Roaming\closestep\apineshpp.exeMD5
63f1959b30ea4591bb0b2f5961b36850
SHA126c0c9c14a48b61971d528c98906cb79c68936c4
SHA256f6ae1e90093fda0271db6d607a78af61c437253c3edd42019daf274c5369b8cb
SHA5124d1de859652c321a2f14115debc049f2a17f8bd99b3a05e4c64edce40ca34f66930429478414645c7055d97c0822b67804998fe94e835db2aaeda1de836ee186
-
memory/1364-124-0x0000000004D10000-0x0000000004D29000-memory.dmpFilesize
100KB
-
memory/1364-127-0x00000000073E3000-0x00000000073E4000-memory.dmpFilesize
4KB
-
memory/1364-136-0x0000000009870000-0x0000000009871000-memory.dmpFilesize
4KB
-
memory/1364-120-0x0000000000400000-0x0000000002B94000-memory.dmpFilesize
39.6MB
-
memory/1364-119-0x0000000002BA0000-0x0000000002C4E000-memory.dmpFilesize
696KB
-
memory/1364-121-0x0000000004940000-0x000000000495B000-memory.dmpFilesize
108KB
-
memory/1364-122-0x00000000073E0000-0x00000000073E1000-memory.dmpFilesize
4KB
-
memory/1364-123-0x00000000073F0000-0x00000000073F1000-memory.dmpFilesize
4KB
-
memory/1364-135-0x00000000093C0000-0x00000000093C1000-memory.dmpFilesize
4KB
-
memory/1364-125-0x00000000078F0000-0x00000000078F1000-memory.dmpFilesize
4KB
-
memory/1364-126-0x00000000073E2000-0x00000000073E3000-memory.dmpFilesize
4KB
-
memory/1364-116-0x0000000000000000-mapping.dmp
-
memory/1364-128-0x00000000072C0000-0x00000000072C1000-memory.dmpFilesize
4KB
-
memory/1364-129-0x00000000072E0000-0x00000000072E1000-memory.dmpFilesize
4KB
-
memory/1364-130-0x00000000073E4000-0x00000000073E6000-memory.dmpFilesize
8KB
-
memory/1364-131-0x0000000007340000-0x0000000007341000-memory.dmpFilesize
4KB
-
memory/1364-132-0x0000000007FF0000-0x0000000007FF1000-memory.dmpFilesize
4KB
-
memory/1364-133-0x0000000008C30000-0x0000000008C31000-memory.dmpFilesize
4KB
-
memory/1364-134-0x0000000008E00000-0x0000000008E01000-memory.dmpFilesize
4KB
-
memory/3492-114-0x0000000000E70000-0x0000000000F3C000-memory.dmpFilesize
816KB
-
memory/3492-115-0x0000000000400000-0x00000000008FE000-memory.dmpFilesize
5.0MB