Overview

overview

10

Static

static

028d53f522...fa.exe

windows7_x64

10

028d53f522...fa.exe

windows11_x64

10

028d53f522...fa.exe

windows10_x64

10

Bot_Checker.exe

windows7_x64

3

Bot_Checker.exe

windows11_x64

10

Bot_Checker.exe

windows10_x64

10

Uninstall.exe

windows7_x64

3

Uninstall.exe

windows11_x64

6

Uninstall.exe

windows10_x64

3

Versium.exe

windows7_x64

9

Versium.exe

windows11_x64

10

Versium.exe

windows10_x64

10

VersiumRes...it.exe

windows7_x64

10

VersiumRes...it.exe

windows11_x64

10

VersiumRes...it.exe

windows10_x64

10

VersiumRes...it.exe

windows7_x64

8

VersiumRes...it.exe

windows11_x64

8

VersiumRes...it.exe

windows10_x64

8

Versiumresearch.exe

windows7_x64

10

Versiumresearch.exe

windows11_x64

Versiumresearch.exe

windows10_x64

10

Resubmissions

12-08-2021 21:22

210812-n6l9952p1a 10

12-08-2021 20:38

210812-sm95c1t59j 10

Analysis

  • max time kernel
    719s
  • max time network
    1445s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-08-2021 20:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Versiumresearch.exe

  • Size

    163KB

  • MD5

    b1dbc3b027105d8032541bc0c5e71abb

  • SHA1

    1ef1950ecb44e6bd8d0a3849868ec9a0ceaa1130

  • SHA256

    b0eb54f46e5919460cb8d21fdcd695e3356b6311ab0547f18dc3d84a66a14bc4

  • SHA512

    3f7fd0aa71e6fae5eeaf16cc47a1ac43cdd1f643c1e7e439eb068685558929cf3c74552ad70fbf2d6cad94cc11bb8ea9c099ef1401b868947f1a9e5e44b34f7b

Score
10/10
redline7newdiscoveryinfostealerpersistencespywarestealersuricata

Malware Config

Extracted

Family

redline

Botnet

7new

C2

sytareliar.xyz:80

yabelesatg.xyz:80

ceneimarck.xyz:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

    suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

    suricata
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Versiumresearch.exe
    "C:\Users\Admin\AppData\Local\Temp\Versiumresearch.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Users\Admin\AppData\Roaming\4841775.exe
      "C:\Users\Admin\AppData\Roaming\4841775.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2396
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2396 -s 2028
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3616
    • C:\Users\Admin\AppData\Roaming\5260485.exe
      "C:\Users\Admin\AppData\Roaming\5260485.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        3⤵
        • Executes dropped EXE
        PID:3116
    • C:\Users\Admin\AppData\Roaming\4981553.exe
      "C:\Users\Admin\AppData\Roaming\4981553.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2824
    • C:\Users\Admin\AppData\Roaming\8270704.exe
      "C:\Users\Admin\AppData\Roaming\8270704.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4072
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 2224
        3⤵
        • Drops file in Windows directory
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1172

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\4841775.exe
    MD5

    b6b7f896ec6c87db2a811a44abc0c5b5

    SHA1

    b17eac180c2139947d2f8fdc87ff8a2a615cbcbf

    SHA256

    02ca78fdf706e494a923c01179c6f2bcc2fd59e55d79039ac7a20a51453670c6

    SHA512

    27150b8bced3845b834be55e40cc31882a0d5290a0363fbc8e0f20244dc6e3f022c2cb5dc7e8a18b9b140994d85995e7e6ee4270ed37bfbc9535cb97ee313c63

    Download Submit

  • C:\Users\Admin\AppData\Roaming\4841775.exe
    MD5

    b6b7f896ec6c87db2a811a44abc0c5b5

    SHA1

    b17eac180c2139947d2f8fdc87ff8a2a615cbcbf

    SHA256

    02ca78fdf706e494a923c01179c6f2bcc2fd59e55d79039ac7a20a51453670c6

    SHA512

    27150b8bced3845b834be55e40cc31882a0d5290a0363fbc8e0f20244dc6e3f022c2cb5dc7e8a18b9b140994d85995e7e6ee4270ed37bfbc9535cb97ee313c63

    Download Submit

  • C:\Users\Admin\AppData\Roaming\4981553.exe
    MD5

    7dfa7a1ec7a798b241d0a3521a0c593a

    SHA1

    23fa15493fd3f2e782488d341331aaf914eeba03

    SHA256

    a64f106b863dec9b842e6fd952995a7ad8dd3b272324a1265dfcb513cd986d17

    SHA512

    3817b7a711e354c5111e5354704b3a7fa07cce8801cc46f8c6ca9bf9d893cdfe1d03c7b9faefb135d193bc937a3403de84e2c8ee4a296ca0f397dca73b1acd7b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\4981553.exe
    MD5

    7dfa7a1ec7a798b241d0a3521a0c593a

    SHA1

    23fa15493fd3f2e782488d341331aaf914eeba03

    SHA256

    a64f106b863dec9b842e6fd952995a7ad8dd3b272324a1265dfcb513cd986d17

    SHA512

    3817b7a711e354c5111e5354704b3a7fa07cce8801cc46f8c6ca9bf9d893cdfe1d03c7b9faefb135d193bc937a3403de84e2c8ee4a296ca0f397dca73b1acd7b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\5260485.exe
    MD5

    1d095bc417db73c6bc6e4c4e7b43106f

    SHA1

    db7e49df1fb5a0a665976f98ff7128aeba40c5f3

    SHA256

    b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

    SHA512

    3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

    Download Submit

  • C:\Users\Admin\AppData\Roaming\5260485.exe
    MD5

    1d095bc417db73c6bc6e4c4e7b43106f

    SHA1

    db7e49df1fb5a0a665976f98ff7128aeba40c5f3

    SHA256

    b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

    SHA512

    3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

    Download Submit

  • C:\Users\Admin\AppData\Roaming\8270704.exe
    MD5

    36acd7e8f309426cb30aeda6c58234a6

    SHA1

    e111555e3324dcb03fda2b03fd4f765dec10ee75

    SHA256

    d17fbe43bc63006f1f11be7948fc385457eb4e830567f5f564cc3d3316ce6a3d

    SHA512

    62449c4e2d9c5faae15164e5751901d2e8e978aa52a7e156e7001b44bb61ed0cc14ee2230458a239ab7a85198826fe704246043ae800ee9c55951b7182b2ea6c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\8270704.exe
    MD5

    36acd7e8f309426cb30aeda6c58234a6

    SHA1

    e111555e3324dcb03fda2b03fd4f765dec10ee75

    SHA256

    d17fbe43bc63006f1f11be7948fc385457eb4e830567f5f564cc3d3316ce6a3d

    SHA512

    62449c4e2d9c5faae15164e5751901d2e8e978aa52a7e156e7001b44bb61ed0cc14ee2230458a239ab7a85198826fe704246043ae800ee9c55951b7182b2ea6c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    1d095bc417db73c6bc6e4c4e7b43106f

    SHA1

    db7e49df1fb5a0a665976f98ff7128aeba40c5f3

    SHA256

    b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

    SHA512

    3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    1d095bc417db73c6bc6e4c4e7b43106f

    SHA1

    db7e49df1fb5a0a665976f98ff7128aeba40c5f3

    SHA256

    b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

    SHA512

    3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

    Download Submit

  • memory/1828-114-0x0000000000400000-0x0000000000401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1828-117-0x0000000000930000-0x000000000094D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1828-129-0x0000000000950000-0x0000000000952000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1828-118-0x0000000000A60000-0x0000000000A61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1828-116-0x0000000000920000-0x0000000000921000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2396-119-0x0000000000000000-mapping.dmp

    Download

  • memory/2396-130-0x0000000000DA0000-0x0000000000DCB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2396-148-0x000000001B5D0000-0x000000001B5D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2396-122-0x0000000000890000-0x0000000000891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2704-141-0x0000000000AA0000-0x0000000000AA7000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2704-143-0x0000000007650000-0x0000000007651000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2704-136-0x0000000000440000-0x0000000000441000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2704-123-0x0000000000000000-mapping.dmp

    Download

  • memory/2704-145-0x00000000071F0000-0x00000000071F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-162-0x0000000004A70000-0x0000000004A71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-150-0x0000000006F40000-0x0000000006F41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-142-0x00000000047A0000-0x00000000047D2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2824-146-0x00000000049F0000-0x00000000049F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-147-0x0000000006F00000-0x0000000006F01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-174-0x0000000009660000-0x0000000009661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-144-0x0000000007510000-0x0000000007511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-168-0x0000000008530000-0x0000000008531000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-169-0x0000000008C30000-0x0000000008C31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-172-0x0000000008B60000-0x0000000008B61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-127-0x0000000000000000-mapping.dmp

    Download

  • memory/2824-137-0x00000000000B0000-0x00000000000B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-161-0x00000000070C0000-0x00000000070C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3116-160-0x0000000007600000-0x0000000007601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3116-151-0x0000000000000000-mapping.dmp

    Download

  • memory/3116-163-0x0000000004C90000-0x0000000004C91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4072-149-0x0000000004A50000-0x0000000004A51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4072-167-0x00000000084E0000-0x00000000084E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4072-164-0x0000000007E50000-0x0000000007E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4072-135-0x00000000000D0000-0x00000000000D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4072-152-0x0000000006FE0000-0x000000000700B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4072-131-0x0000000000000000-mapping.dmp

    Download