Overview

overview

10

Static

static

400ee0714d...71.exe

windows7_x64

10

400ee0714d...71.exe

windows10_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    156s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    22-07-2021 08:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    400ee0714dd95e2444a1242483027271.exe

  • Size

    594KB

  • MD5

    400ee0714dd95e2444a1242483027271

  • SHA1

    2eba3d61e364e8a40f187556c337809b92e06914

  • SHA256

    f80044762635fc93a0b1f612664bd9b0b21fa0e88fd473b8f298d9726c43f9a8

  • SHA512

    586f59447cd3109d8e64b0f53da1cc80c3ef89d8013ead6154a103f638e4539a20cbeb4ac5bfc96c8be87cde74dc3c6749c8f3e9cebf330eb903bdc5b9370d36

Score
10/10
redlinemix 22.07discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

MIX 22.07

C2

185.215.113.17:18597

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\400ee0714dd95e2444a1242483027271.exe
    "C:\Users\Admin\AppData\Local\Temp\400ee0714dd95e2444a1242483027271.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Users\Admin\AppData\Roaming\closestep\apineshpp.exe
      apineshpp.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\closestep\apineshpp.exe
    MD5

    63f1959b30ea4591bb0b2f5961b36850

    SHA1

    26c0c9c14a48b61971d528c98906cb79c68936c4

    SHA256

    f6ae1e90093fda0271db6d607a78af61c437253c3edd42019daf274c5369b8cb

    SHA512

    4d1de859652c321a2f14115debc049f2a17f8bd99b3a05e4c64edce40ca34f66930429478414645c7055d97c0822b67804998fe94e835db2aaeda1de836ee186

    Download Submit
  • C:\Users\Admin\AppData\Roaming\closestep\apineshpp.exe
    MD5

    63f1959b30ea4591bb0b2f5961b36850

    SHA1

    26c0c9c14a48b61971d528c98906cb79c68936c4

    SHA256

    f6ae1e90093fda0271db6d607a78af61c437253c3edd42019daf274c5369b8cb

    SHA512

    4d1de859652c321a2f14115debc049f2a17f8bd99b3a05e4c64edce40ca34f66930429478414645c7055d97c0822b67804998fe94e835db2aaeda1de836ee186

    Download Submit
  • memory/1364-124-0x0000000004D10000-0x0000000004D29000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1364-127-0x00000000073E3000-0x00000000073E4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1364-136-0x0000000009870000-0x0000000009871000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1364-120-0x0000000000400000-0x0000000002B94000-memory.dmp
    Filesize

    39.6MB

    Download
  • memory/1364-119-0x0000000002BA0000-0x0000000002C4E000-memory.dmp
    Filesize

    696KB

    Download
  • memory/1364-121-0x0000000004940000-0x000000000495B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1364-122-0x00000000073E0000-0x00000000073E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1364-123-0x00000000073F0000-0x00000000073F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1364-135-0x00000000093C0000-0x00000000093C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1364-125-0x00000000078F0000-0x00000000078F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1364-126-0x00000000073E2000-0x00000000073E3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1364-116-0x0000000000000000-mapping.dmp
    Download
  • memory/1364-128-0x00000000072C0000-0x00000000072C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1364-129-0x00000000072E0000-0x00000000072E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1364-130-0x00000000073E4000-0x00000000073E6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1364-131-0x0000000007340000-0x0000000007341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1364-132-0x0000000007FF0000-0x0000000007FF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1364-133-0x0000000008C30000-0x0000000008C31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1364-134-0x0000000008E00000-0x0000000008E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3492-114-0x0000000000E70000-0x0000000000F3C000-memory.dmp
    Filesize

    816KB

    Download
  • memory/3492-115-0x0000000000400000-0x00000000008FE000-memory.dmp
    Filesize

    5.0MB

    Download