Overview

overview

10

Static

static

33e4d90657...5b.exe

windows7_x64

10

33e4d90657...5b.exe

windows10_x64

10

Analysis

  • max time kernel
    20s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    25-08-2021 05:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33e4d906579d1842adbddc6e3be27b5b.exe

  • Size

    184KB

  • MD5

    33e4d906579d1842adbddc6e3be27b5b

  • SHA1

    9cc464b63f810e929cbb383de751bcac70d22020

  • SHA256

    b9025aef29f9f9d3126d390e66df8c55a9c9f7c15520f9a59a963932ee86b815

  • SHA512

    4c34f247d5e5ebbad752d7b28ce2c86b122eb82c789a05416f786ef0b265da92826530ee5003848c68f71b7dd3f20389f627ca18bf7981e1582837272ba9f798

Score
10/10
redline3discoveryinfostealerpersistencespywarestealer

Malware Config

Extracted

Family

redline

Botnet

3

C2

deyrolorme.xyz:80

xariebelal.xyz:80

anihelardd.xyz:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33e4d906579d1842adbddc6e3be27b5b.exe
    "C:\Users\Admin\AppData\Local\Temp\33e4d906579d1842adbddc6e3be27b5b.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Users\Admin\AppData\Roaming\2861586.exe
      "C:\Users\Admin\AppData\Roaming\2861586.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2716
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2716 -s 2128
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3456
    • C:\Users\Admin\AppData\Roaming\8409857.exe
      "C:\Users\Admin\AppData\Roaming\8409857.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4032
      • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        3⤵
        • Executes dropped EXE
        PID:1224
    • C:\Users\Admin\AppData\Roaming\6821963.exe
      "C:\Users\Admin\AppData\Roaming\6821963.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3948
    • C:\Users\Admin\AppData\Roaming\3838786.exe
      "C:\Users\Admin\AppData\Roaming\3838786.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2708
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 2200
        3⤵
        • Drops file in Windows directory
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\2861586.exe
    MD5

    724252e8cc86d50db3dd965a744188c0

    SHA1

    4f96e366267aa778d2f6b11bc35e5aca518a6c30

    SHA256

    786bcc1e15c4c6c7a37ac4908c5991d5589b6d04c74070c0f083287fc74782ff

    SHA512

    3443a8230f77555e1c101a6b9a91d6695a45ff1cc5a503cb14ba0b87cefc8a58ab7e3d96df344f2df043fd285bc235e81dae51a8c6317d9262c519f945dd7a91

    Download Submit
  • C:\Users\Admin\AppData\Roaming\2861586.exe
    MD5

    724252e8cc86d50db3dd965a744188c0

    SHA1

    4f96e366267aa778d2f6b11bc35e5aca518a6c30

    SHA256

    786bcc1e15c4c6c7a37ac4908c5991d5589b6d04c74070c0f083287fc74782ff

    SHA512

    3443a8230f77555e1c101a6b9a91d6695a45ff1cc5a503cb14ba0b87cefc8a58ab7e3d96df344f2df043fd285bc235e81dae51a8c6317d9262c519f945dd7a91

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3838786.exe
    MD5

    7758440f5f314ea55143cfb56dabf434

    SHA1

    82fe15c964ce358b37115ffb5148d976965c6ef5

    SHA256

    1206f705128ee12694a8fb0b16fc1c1de4703089ea138ba0b2ba80f5c0f7c46b

    SHA512

    17b3e7790952d38311c9d5380f627eced775f38755b2374f6b81e088811706fec14c0d56e01b1aaac2d7030278161c8eb3d0ff6651d14f9e31bbefc9329620bf

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3838786.exe
    MD5

    7758440f5f314ea55143cfb56dabf434

    SHA1

    82fe15c964ce358b37115ffb5148d976965c6ef5

    SHA256

    1206f705128ee12694a8fb0b16fc1c1de4703089ea138ba0b2ba80f5c0f7c46b

    SHA512

    17b3e7790952d38311c9d5380f627eced775f38755b2374f6b81e088811706fec14c0d56e01b1aaac2d7030278161c8eb3d0ff6651d14f9e31bbefc9329620bf

    Download Submit
  • C:\Users\Admin\AppData\Roaming\6821963.exe
    MD5

    883fe31989c8dfc8f2e22a94ae2d369a

    SHA1

    2933d6fafbebe84c12c0e226bf182e708d3bd32e

    SHA256

    7781a758350e3fba94c86661171371a7fd19f0801bf4cc82c5c94169fed3b9b4

    SHA512

    c9d4ee4ba7e34c4641b25837295a8d7ea6c04f5d25facd9948bb19698e75a833e16f530d6be59fe6cb9d2c5771a1e7e10266adbb121ce1822e1048530e67e313

    Download Submit
  • C:\Users\Admin\AppData\Roaming\6821963.exe
    MD5

    883fe31989c8dfc8f2e22a94ae2d369a

    SHA1

    2933d6fafbebe84c12c0e226bf182e708d3bd32e

    SHA256

    7781a758350e3fba94c86661171371a7fd19f0801bf4cc82c5c94169fed3b9b4

    SHA512

    c9d4ee4ba7e34c4641b25837295a8d7ea6c04f5d25facd9948bb19698e75a833e16f530d6be59fe6cb9d2c5771a1e7e10266adbb121ce1822e1048530e67e313

    Download Submit
  • C:\Users\Admin\AppData\Roaming\8409857.exe
    MD5

    3598180fddc06dbd304b76627143b01d

    SHA1

    1d39b0dd8425359ed94e606cb04f9c5e49ed1899

    SHA256

    44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda

    SHA512

    8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\8409857.exe
    MD5

    3598180fddc06dbd304b76627143b01d

    SHA1

    1d39b0dd8425359ed94e606cb04f9c5e49ed1899

    SHA256

    44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda

    SHA512

    8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    3598180fddc06dbd304b76627143b01d

    SHA1

    1d39b0dd8425359ed94e606cb04f9c5e49ed1899

    SHA256

    44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda

    SHA512

    8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    3598180fddc06dbd304b76627143b01d

    SHA1

    1d39b0dd8425359ed94e606cb04f9c5e49ed1899

    SHA256

    44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda

    SHA512

    8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d

    Download Submit
  • memory/1224-164-0x00000000051F0000-0x00000000051F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1224-162-0x0000000007A60000-0x0000000007A61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1224-151-0x0000000000000000-mapping.dmp
    Download
  • memory/2708-139-0x00000000002D0000-0x00000000002D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-167-0x0000000008510000-0x0000000008511000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-163-0x0000000007D40000-0x0000000007D41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-158-0x0000000004C20000-0x0000000004C21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-144-0x0000000004A90000-0x0000000004A91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-136-0x0000000000000000-mapping.dmp
    Download
  • memory/2716-143-0x000000001AF20000-0x000000001AF22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2716-123-0x00000000002F0000-0x00000000002F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-120-0x0000000000000000-mapping.dmp
    Download
  • memory/2716-130-0x0000000000930000-0x000000000097A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/3904-116-0x0000000000FE0000-0x0000000000FE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3904-117-0x000000001BCE0000-0x000000001BCE2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3904-119-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3904-118-0x00000000013D0000-0x00000000013EE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3904-114-0x0000000000E90000-0x0000000000E91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-132-0x0000000000840000-0x0000000000841000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-168-0x0000000008CC0000-0x0000000008CC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-149-0x0000000007680000-0x0000000007681000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-150-0x00000000076C0000-0x00000000076C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-147-0x0000000007C50000-0x0000000007C51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-148-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-174-0x0000000009390000-0x0000000009391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-171-0x00000000091D0000-0x00000000091D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-160-0x00000000052B0000-0x00000000052B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-161-0x0000000007850000-0x0000000007851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-146-0x0000000002B30000-0x0000000002B62000-memory.dmp
    Filesize

    200KB

    Download
  • memory/3948-128-0x0000000000000000-mapping.dmp
    Download
  • memory/3948-169-0x00000000093C0000-0x00000000093C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4032-125-0x0000000000000000-mapping.dmp
    Download
  • memory/4032-142-0x00000000079F0000-0x00000000079F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4032-141-0x0000000004EC0000-0x0000000004EC6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/4032-133-0x0000000000740000-0x0000000000741000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4032-145-0x00000000074F0000-0x00000000074F1000-memory.dmp
    Filesize

    4KB

    Download