Analysis
-
max time kernel
18s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-08-2021 06:08
Static task
static1
Behavioral task
behavioral1
Sample
b1dbc3b0_RE8KkS8Ee6.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
b1dbc3b0_RE8KkS8Ee6.exe
Resource
win10v20210410
General
-
Target
b1dbc3b0_RE8KkS8Ee6.exe
-
Size
163KB
-
MD5
b1dbc3b027105d8032541bc0c5e71abb
-
SHA1
1ef1950ecb44e6bd8d0a3849868ec9a0ceaa1130
-
SHA256
b0eb54f46e5919460cb8d21fdcd695e3356b6311ab0547f18dc3d84a66a14bc4
-
SHA512
3f7fd0aa71e6fae5eeaf16cc47a1ac43cdd1f643c1e7e439eb068685558929cf3c74552ad70fbf2d6cad94cc11bb8ea9c099ef1401b868947f1a9e5e44b34f7b
Malware Config
Extracted
redline
7new
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2648-143-0x0000000004FF0000-0x0000000005022000-memory.dmp family_redline -
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
-
Executes dropped EXE 5 IoCs
Processes:
2442250.exe1299482.exe7459073.exe7877783.exeWinHoster.exepid process 2200 2442250.exe 2496 1299482.exe 2648 7459073.exe 2772 7877783.exe 2976 WinHoster.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1299482.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 1299482.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 744 2200 WerFault.exe 2442250.exe 1380 2772 WerFault.exe 7877783.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
2442250.exeWerFault.exe7877783.exeWerFault.exe7459073.exepid process 2200 2442250.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 2772 7877783.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 2648 7459073.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
b1dbc3b0_RE8KkS8Ee6.exe2442250.exe7877783.exe7459073.exeWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3424 b1dbc3b0_RE8KkS8Ee6.exe Token: SeDebugPrivilege 2200 2442250.exe Token: SeDebugPrivilege 2772 7877783.exe Token: SeDebugPrivilege 2648 7459073.exe Token: SeDebugPrivilege 744 WerFault.exe Token: SeRestorePrivilege 1380 WerFault.exe Token: SeBackupPrivilege 1380 WerFault.exe Token: SeBackupPrivilege 1380 WerFault.exe Token: SeDebugPrivilege 1380 WerFault.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
b1dbc3b0_RE8KkS8Ee6.exe1299482.exedescription pid process target process PID 3424 wrote to memory of 2200 3424 b1dbc3b0_RE8KkS8Ee6.exe 2442250.exe PID 3424 wrote to memory of 2200 3424 b1dbc3b0_RE8KkS8Ee6.exe 2442250.exe PID 3424 wrote to memory of 2496 3424 b1dbc3b0_RE8KkS8Ee6.exe 1299482.exe PID 3424 wrote to memory of 2496 3424 b1dbc3b0_RE8KkS8Ee6.exe 1299482.exe PID 3424 wrote to memory of 2496 3424 b1dbc3b0_RE8KkS8Ee6.exe 1299482.exe PID 3424 wrote to memory of 2648 3424 b1dbc3b0_RE8KkS8Ee6.exe 7459073.exe PID 3424 wrote to memory of 2648 3424 b1dbc3b0_RE8KkS8Ee6.exe 7459073.exe PID 3424 wrote to memory of 2648 3424 b1dbc3b0_RE8KkS8Ee6.exe 7459073.exe PID 3424 wrote to memory of 2772 3424 b1dbc3b0_RE8KkS8Ee6.exe 7877783.exe PID 3424 wrote to memory of 2772 3424 b1dbc3b0_RE8KkS8Ee6.exe 7877783.exe PID 3424 wrote to memory of 2772 3424 b1dbc3b0_RE8KkS8Ee6.exe 7877783.exe PID 2496 wrote to memory of 2976 2496 1299482.exe WinHoster.exe PID 2496 wrote to memory of 2976 2496 1299482.exe WinHoster.exe PID 2496 wrote to memory of 2976 2496 1299482.exe WinHoster.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1dbc3b0_RE8KkS8Ee6.exe"C:\Users\Admin\AppData\Local\Temp\b1dbc3b0_RE8KkS8Ee6.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Users\Admin\AppData\Roaming\2442250.exe"C:\Users\Admin\AppData\Roaming\2442250.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2200 -s 20283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744 -
C:\Users\Admin\AppData\Roaming\1299482.exe"C:\Users\Admin\AppData\Roaming\1299482.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
- Executes dropped EXE
PID:2976 -
C:\Users\Admin\AppData\Roaming\7459073.exe"C:\Users\Admin\AppData\Roaming\7459073.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Users\Admin\AppData\Roaming\7877783.exe"C:\Users\Admin\AppData\Roaming\7877783.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 22643⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\1299482.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
C:\Users\Admin\AppData\Roaming\1299482.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
C:\Users\Admin\AppData\Roaming\2442250.exeMD5
b6b7f896ec6c87db2a811a44abc0c5b5
SHA1b17eac180c2139947d2f8fdc87ff8a2a615cbcbf
SHA25602ca78fdf706e494a923c01179c6f2bcc2fd59e55d79039ac7a20a51453670c6
SHA51227150b8bced3845b834be55e40cc31882a0d5290a0363fbc8e0f20244dc6e3f022c2cb5dc7e8a18b9b140994d85995e7e6ee4270ed37bfbc9535cb97ee313c63
-
C:\Users\Admin\AppData\Roaming\2442250.exeMD5
b6b7f896ec6c87db2a811a44abc0c5b5
SHA1b17eac180c2139947d2f8fdc87ff8a2a615cbcbf
SHA25602ca78fdf706e494a923c01179c6f2bcc2fd59e55d79039ac7a20a51453670c6
SHA51227150b8bced3845b834be55e40cc31882a0d5290a0363fbc8e0f20244dc6e3f022c2cb5dc7e8a18b9b140994d85995e7e6ee4270ed37bfbc9535cb97ee313c63
-
C:\Users\Admin\AppData\Roaming\7459073.exeMD5
7dfa7a1ec7a798b241d0a3521a0c593a
SHA123fa15493fd3f2e782488d341331aaf914eeba03
SHA256a64f106b863dec9b842e6fd952995a7ad8dd3b272324a1265dfcb513cd986d17
SHA5123817b7a711e354c5111e5354704b3a7fa07cce8801cc46f8c6ca9bf9d893cdfe1d03c7b9faefb135d193bc937a3403de84e2c8ee4a296ca0f397dca73b1acd7b
-
C:\Users\Admin\AppData\Roaming\7459073.exeMD5
7dfa7a1ec7a798b241d0a3521a0c593a
SHA123fa15493fd3f2e782488d341331aaf914eeba03
SHA256a64f106b863dec9b842e6fd952995a7ad8dd3b272324a1265dfcb513cd986d17
SHA5123817b7a711e354c5111e5354704b3a7fa07cce8801cc46f8c6ca9bf9d893cdfe1d03c7b9faefb135d193bc937a3403de84e2c8ee4a296ca0f397dca73b1acd7b
-
C:\Users\Admin\AppData\Roaming\7877783.exeMD5
36acd7e8f309426cb30aeda6c58234a6
SHA1e111555e3324dcb03fda2b03fd4f765dec10ee75
SHA256d17fbe43bc63006f1f11be7948fc385457eb4e830567f5f564cc3d3316ce6a3d
SHA51262449c4e2d9c5faae15164e5751901d2e8e978aa52a7e156e7001b44bb61ed0cc14ee2230458a239ab7a85198826fe704246043ae800ee9c55951b7182b2ea6c
-
C:\Users\Admin\AppData\Roaming\7877783.exeMD5
36acd7e8f309426cb30aeda6c58234a6
SHA1e111555e3324dcb03fda2b03fd4f765dec10ee75
SHA256d17fbe43bc63006f1f11be7948fc385457eb4e830567f5f564cc3d3316ce6a3d
SHA51262449c4e2d9c5faae15164e5751901d2e8e978aa52a7e156e7001b44bb61ed0cc14ee2230458a239ab7a85198826fe704246043ae800ee9c55951b7182b2ea6c
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
memory/2200-146-0x00000000025D0000-0x00000000025D2000-memory.dmpFilesize
8KB
-
memory/2200-122-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/2200-130-0x00000000025A0000-0x00000000025CB000-memory.dmpFilesize
172KB
-
memory/2200-119-0x0000000000000000-mapping.dmp
-
memory/2496-135-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2496-124-0x0000000000000000-mapping.dmp
-
memory/2496-144-0x0000000006DE0000-0x0000000006DE1000-memory.dmpFilesize
4KB
-
memory/2496-142-0x0000000007200000-0x0000000007201000-memory.dmpFilesize
4KB
-
memory/2496-141-0x0000000000690000-0x0000000000697000-memory.dmpFilesize
28KB
-
memory/2648-152-0x0000000007580000-0x0000000007581000-memory.dmpFilesize
4KB
-
memory/2648-160-0x0000000008B90000-0x0000000008B91000-memory.dmpFilesize
4KB
-
memory/2648-155-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/2648-139-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/2648-165-0x0000000008E40000-0x0000000008E41000-memory.dmpFilesize
4KB
-
memory/2648-154-0x0000000007720000-0x0000000007721000-memory.dmpFilesize
4KB
-
memory/2648-143-0x0000000004FF0000-0x0000000005022000-memory.dmpFilesize
200KB
-
memory/2648-162-0x0000000008D60000-0x0000000008D61000-memory.dmpFilesize
4KB
-
memory/2648-145-0x0000000007AD0000-0x0000000007AD1000-memory.dmpFilesize
4KB
-
memory/2648-126-0x0000000000000000-mapping.dmp
-
memory/2648-149-0x0000000007540000-0x0000000007541000-memory.dmpFilesize
4KB
-
memory/2648-147-0x00000000074E0000-0x00000000074E1000-memory.dmpFilesize
4KB
-
memory/2648-161-0x0000000009290000-0x0000000009291000-memory.dmpFilesize
4KB
-
memory/2772-131-0x0000000000000000-mapping.dmp
-
memory/2772-159-0x00000000091A0000-0x00000000091A1000-memory.dmpFilesize
4KB
-
memory/2772-153-0x0000000001640000-0x000000000166B000-memory.dmpFilesize
172KB
-
memory/2772-148-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/2772-156-0x00000000089C0000-0x00000000089C1000-memory.dmpFilesize
4KB
-
memory/2772-136-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/2976-150-0x0000000000000000-mapping.dmp
-
memory/3424-116-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/3424-117-0x00000000007C0000-0x00000000007DD000-memory.dmpFilesize
116KB
-
memory/3424-114-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/3424-127-0x000000001ADB0000-0x000000001ADB2000-memory.dmpFilesize
8KB
-
memory/3424-118-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB