Analysis
-
max time kernel
37s -
max time network
67s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 04:11
Static task
static1
Behavioral task
behavioral1
Sample
8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe
Resource
win7v20210410
General
-
Target
8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe
-
Size
723KB
-
MD5
5c7a96e9e751658f051daa79ac1e4cf0
-
SHA1
786f93d12910979c125ae6de7335d1aa80b5ed3e
-
SHA256
a6d3f74228ee18a19579010cd5fe3cc98f2c53dc43452325ba57a69f1253d7a5
-
SHA512
e624b68903efab2b7cd287b8c48e8afb08399770d0533238de2d0e17944dde9d8587041de81499b8c8b737bdbfb9e87f06539cdfff5c0d8da2713916512e0de9
Malware Config
Extracted
redline
stanntinab.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1076-104-0x0000000000480000-0x000000000049C000-memory.dmp family_redline behavioral1/memory/1076-111-0x0000000001E80000-0x0000000001E9B000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
hock.exesid.exesid.exepid process 272 hock.exe 1256 sid.exe 1076 sid.exe -
Loads dropped DLL 4 IoCs
Processes:
cmd.execmd.exesid.exepid process 1960 cmd.exe 1712 cmd.exe 1712 cmd.exe 1256 sid.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
sid.exedescription pid process target process PID 1256 set thread context of 1076 1256 sid.exe sid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 1768 timeout.exe 1028 timeout.exe 1644 timeout.exe 1688 timeout.exe 1348 timeout.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 836 taskkill.exe 940 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
sid.exepid process 1076 sid.exe 1076 sid.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exetaskkill.exesid.exedescription pid process Token: SeDebugPrivilege 836 taskkill.exe Token: SeDebugPrivilege 940 taskkill.exe Token: SeDebugPrivilege 1076 sid.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8a7bf5e8-e55e-46c9-82e7-33084da611e9.exeWScript.execmd.exeWScript.execmd.exedescription pid process target process PID 1724 wrote to memory of 1364 1724 8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe WScript.exe PID 1724 wrote to memory of 1364 1724 8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe WScript.exe PID 1724 wrote to memory of 1364 1724 8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe WScript.exe PID 1724 wrote to memory of 1364 1724 8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe WScript.exe PID 1724 wrote to memory of 1364 1724 8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe WScript.exe PID 1724 wrote to memory of 1364 1724 8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe WScript.exe PID 1724 wrote to memory of 1364 1724 8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe WScript.exe PID 1364 wrote to memory of 1960 1364 WScript.exe cmd.exe PID 1364 wrote to memory of 1960 1364 WScript.exe cmd.exe PID 1364 wrote to memory of 1960 1364 WScript.exe cmd.exe PID 1364 wrote to memory of 1960 1364 WScript.exe cmd.exe PID 1364 wrote to memory of 1960 1364 WScript.exe cmd.exe PID 1364 wrote to memory of 1960 1364 WScript.exe cmd.exe PID 1364 wrote to memory of 1960 1364 WScript.exe cmd.exe PID 1960 wrote to memory of 1768 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1768 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1768 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1768 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1768 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1768 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1768 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 272 1960 cmd.exe hock.exe PID 1960 wrote to memory of 272 1960 cmd.exe hock.exe PID 1960 wrote to memory of 272 1960 cmd.exe hock.exe PID 1960 wrote to memory of 272 1960 cmd.exe hock.exe PID 1960 wrote to memory of 272 1960 cmd.exe hock.exe PID 1960 wrote to memory of 272 1960 cmd.exe hock.exe PID 1960 wrote to memory of 272 1960 cmd.exe hock.exe PID 1960 wrote to memory of 1028 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1028 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1028 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1028 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1028 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1028 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1028 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1864 1960 cmd.exe WScript.exe PID 1960 wrote to memory of 1864 1960 cmd.exe WScript.exe PID 1960 wrote to memory of 1864 1960 cmd.exe WScript.exe PID 1960 wrote to memory of 1864 1960 cmd.exe WScript.exe PID 1960 wrote to memory of 1864 1960 cmd.exe WScript.exe PID 1960 wrote to memory of 1864 1960 cmd.exe WScript.exe PID 1960 wrote to memory of 1864 1960 cmd.exe WScript.exe PID 1960 wrote to memory of 1644 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1644 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1644 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1644 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1644 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1644 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1644 1960 cmd.exe timeout.exe PID 1864 wrote to memory of 1712 1864 WScript.exe cmd.exe PID 1864 wrote to memory of 1712 1864 WScript.exe cmd.exe PID 1864 wrote to memory of 1712 1864 WScript.exe cmd.exe PID 1864 wrote to memory of 1712 1864 WScript.exe cmd.exe PID 1864 wrote to memory of 1712 1864 WScript.exe cmd.exe PID 1864 wrote to memory of 1712 1864 WScript.exe cmd.exe PID 1864 wrote to memory of 1712 1864 WScript.exe cmd.exe PID 1712 wrote to memory of 1664 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 1664 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 1664 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 1664 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 1664 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 1664 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 1664 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 1688 1712 cmd.exe timeout.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1664 attrib.exe 1768 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe"C:\Users\Admin\AppData\Local\Temp\8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\inst1\datapjgf\5g56656161.vbs" /f=CREATE_NO_WINDOW install.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\inst1\datapjgf\yui.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\timeout.exetimeout 74⤵
- Delays execution with timeout.exe
PID:1768 -
C:\inst1\datapjgf\hock.exe"hock.exe" e -pfile kool.rar4⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:1028 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\inst1\datapjgf\als.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\inst1\datapjgf\fsp.bat" "5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\inst1"6⤵
- Views/modifies file attributes
PID:1664 -
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
PID:1688 -
C:\inst1\datapjgf\sid.exesid.exe /start6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1256 -
C:\inst1\datapjgf\sid.exesid.exe /start7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im hock.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:836 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im hock.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:940 -
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\inst1\datapjgf"6⤵
- Views/modifies file attributes
PID:1768 -
C:\Windows\SysWOW64\timeout.exetimeout 46⤵
- Delays execution with timeout.exe
PID:1348 -
C:\Windows\SysWOW64\timeout.exetimeout 84⤵
- Delays execution with timeout.exe
PID:1644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\inst1\datapjgf\5g56656161.vbsMD5
bb1e59925a7580229b8f56259a5b7e35
SHA11f65cc2d37d3e135c9f92d9630deae8d0c75d19b
SHA256347d11816b9cf30654204cfcf51b2907cfb3e64e89426d6eb0f1cb73159fdc7d
SHA5121e584c8ab1780672e34999e9a003a21254586f7712f7d70774f35b7e42fab424938d6ea1f36057ca9c831ea6bcfbca4649b5bfe6f65610b7f6629977730aace9
-
C:\inst1\datapjgf\als.vbsMD5
9859b8c66ab773327318fb4af69b4ff0
SHA19960966652d6b1921329d667e667964cdc933cd1
SHA25677ce3e4459c8af542dab9039f0ac1a0ce72592a484f91dfe10042e260f9b4d40
SHA512f4a76570459b53b6dac4680b6ee0957a4bebc491fc88807f534a8123c248b26135e4c81287af6f922924fd3ad64fe4068d9133fd874506887ff2692b20f8c190
-
C:\inst1\datapjgf\fsp.batMD5
ef5de4e87f37e047ba668f5f4497a25e
SHA15df4086a8c8a0ac457c5fd2e0884ceacecee19e0
SHA256069700f16b8c2ff3f22a7c4a0448c5d128effcf2c0917534672eb56dd7404721
SHA512e4daf66258467a54da7654428f2a47dc58c3de106df9a2a62ebbf75984a2123c0d14e24cae81c9f2973d61aea85a4c1c3b439b6af45a720f3a10c933b367c742
-
C:\inst1\datapjgf\hock.exeMD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
C:\inst1\datapjgf\hock.exeMD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
C:\inst1\datapjgf\pzrklogMD5
431b2ef26e503e06a01587aaa7a2ee93
SHA158ef0a09f2464731f094775e8adc77379bfc5ffa
SHA256dfaa5c996d8afaf498bcb58d6ac1348cf959e8a008f3b572ddd6a60951426de6
SHA5122990ab4d257aa81b037d4df58fa01f6d8229670a4d1f990d299ed6b205d869fe6c5076921f20bfdddd02b1e8d9f01b422a86dbd35e38a7d190eb3b798f6061d5
-
C:\inst1\datapjgf\sid.exeMD5
4eaa34aeca42bfe6cfd59179a76b266a
SHA1bd09f11f58fd289382c58cce6c30f55786c84b6e
SHA25603676d28845bff4bdece7c13f65594da8e1133c6f2e4ee93b88a8456d572d1ef
SHA51267d1d62732a2d8d4470d9f8e8862641a3c845b53be261033c4145a77f29ed8e66f32d01823f680e8453fc7779897840467ff8f29b799e28cd3fcfe4aad912af4
-
C:\inst1\datapjgf\sid.exeMD5
4eaa34aeca42bfe6cfd59179a76b266a
SHA1bd09f11f58fd289382c58cce6c30f55786c84b6e
SHA25603676d28845bff4bdece7c13f65594da8e1133c6f2e4ee93b88a8456d572d1ef
SHA51267d1d62732a2d8d4470d9f8e8862641a3c845b53be261033c4145a77f29ed8e66f32d01823f680e8453fc7779897840467ff8f29b799e28cd3fcfe4aad912af4
-
C:\inst1\datapjgf\sid.exeMD5
4eaa34aeca42bfe6cfd59179a76b266a
SHA1bd09f11f58fd289382c58cce6c30f55786c84b6e
SHA25603676d28845bff4bdece7c13f65594da8e1133c6f2e4ee93b88a8456d572d1ef
SHA51267d1d62732a2d8d4470d9f8e8862641a3c845b53be261033c4145a77f29ed8e66f32d01823f680e8453fc7779897840467ff8f29b799e28cd3fcfe4aad912af4
-
C:\inst1\datapjgf\yui.batMD5
6233a53a9098887969c50d6ebb4fb984
SHA170ad25a824489083d2087ae08243f5540cde67b0
SHA256008932d95d072a0fe6be40db10f4a32c16e152138f61ed17d955f2b00f41f865
SHA512b978cf449bfb9ae3902ecc2e44b985d29f2b57087d22ebbc19a800e595fccb56f089baa32c71e4c533dbb829b1643c7d770f2637016a4d43851f5f69f5012a56
-
\inst1\datapjgf\hock.exeMD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
\inst1\datapjgf\sid.exeMD5
4eaa34aeca42bfe6cfd59179a76b266a
SHA1bd09f11f58fd289382c58cce6c30f55786c84b6e
SHA25603676d28845bff4bdece7c13f65594da8e1133c6f2e4ee93b88a8456d572d1ef
SHA51267d1d62732a2d8d4470d9f8e8862641a3c845b53be261033c4145a77f29ed8e66f32d01823f680e8453fc7779897840467ff8f29b799e28cd3fcfe4aad912af4
-
\inst1\datapjgf\sid.exeMD5
4eaa34aeca42bfe6cfd59179a76b266a
SHA1bd09f11f58fd289382c58cce6c30f55786c84b6e
SHA25603676d28845bff4bdece7c13f65594da8e1133c6f2e4ee93b88a8456d572d1ef
SHA51267d1d62732a2d8d4470d9f8e8862641a3c845b53be261033c4145a77f29ed8e66f32d01823f680e8453fc7779897840467ff8f29b799e28cd3fcfe4aad912af4
-
\inst1\datapjgf\sid.exeMD5
4eaa34aeca42bfe6cfd59179a76b266a
SHA1bd09f11f58fd289382c58cce6c30f55786c84b6e
SHA25603676d28845bff4bdece7c13f65594da8e1133c6f2e4ee93b88a8456d572d1ef
SHA51267d1d62732a2d8d4470d9f8e8862641a3c845b53be261033c4145a77f29ed8e66f32d01823f680e8453fc7779897840467ff8f29b799e28cd3fcfe4aad912af4
-
memory/272-72-0x0000000000000000-mapping.dmp
-
memory/836-99-0x0000000000000000-mapping.dmp
-
memory/940-102-0x0000000000000000-mapping.dmp
-
memory/1028-75-0x0000000000000000-mapping.dmp
-
memory/1076-105-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1076-107-0x0000000004A41000-0x0000000004A42000-memory.dmpFilesize
4KB
-
memory/1076-114-0x0000000004A44000-0x0000000004A46000-memory.dmpFilesize
8KB
-
memory/1076-108-0x0000000004A42000-0x0000000004A43000-memory.dmpFilesize
4KB
-
memory/1076-111-0x0000000001E80000-0x0000000001E9B000-memory.dmpFilesize
108KB
-
memory/1076-96-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1076-97-0x000000000040CD2F-mapping.dmp
-
memory/1076-109-0x0000000004A43000-0x0000000004A44000-memory.dmpFilesize
4KB
-
memory/1076-104-0x0000000000480000-0x000000000049C000-memory.dmpFilesize
112KB
-
memory/1256-92-0x0000000000000000-mapping.dmp
-
memory/1348-112-0x0000000000000000-mapping.dmp
-
memory/1364-61-0x0000000000000000-mapping.dmp
-
memory/1644-79-0x0000000000000000-mapping.dmp
-
memory/1664-85-0x0000000000000000-mapping.dmp
-
memory/1688-87-0x0000000000000000-mapping.dmp
-
memory/1712-83-0x0000000000000000-mapping.dmp
-
memory/1724-60-0x0000000075161000-0x0000000075163000-memory.dmpFilesize
8KB
-
memory/1768-106-0x0000000000000000-mapping.dmp
-
memory/1768-67-0x0000000000000000-mapping.dmp
-
memory/1864-78-0x0000000000000000-mapping.dmp
-
memory/1960-65-0x0000000000000000-mapping.dmp