Analysis
-
max time kernel
30s -
max time network
54s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
31-08-2021 14:01
Static task
static1
Behavioral task
behavioral1
Sample
cedb5a09e7240ec72c1e390c910f7d4f.exe
Resource
win7v20210408
General
-
Target
cedb5a09e7240ec72c1e390c910f7d4f.exe
-
Size
668KB
-
MD5
cedb5a09e7240ec72c1e390c910f7d4f
-
SHA1
da41410f101354fa4616c6dca1a3114924e59c31
-
SHA256
199ca324948379f2a21e8cd0a7531e14319af74e302ad45820e105b50a9e985f
-
SHA512
2eb7fd0b0c19d5aa62e11f3fb8255309406603e9a9319e012390570da7c246e75287dd1cb131b4cc901e03c56eac2f8247d9021c59cee5b9cb74ae3e20c02f26
Malware Config
Extracted
redline
mix31.08
185.215.113.15:6043
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/560-69-0x0000000003570000-0x000000000358F000-memory.dmp family_redline behavioral1/memory/560-73-0x0000000003980000-0x000000000399E000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
apinesp.exepid process 560 apinesp.exe -
Loads dropped DLL 2 IoCs
Processes:
cedb5a09e7240ec72c1e390c910f7d4f.exepid process 2024 cedb5a09e7240ec72c1e390c910f7d4f.exe 2024 cedb5a09e7240ec72c1e390c910f7d4f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cedb5a09e7240ec72c1e390c910f7d4f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cedb5a09e7240ec72c1e390c910f7d4f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cedb5a09e7240ec72c1e390c910f7d4f.exe -
Processes:
apinesp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 apinesp.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e apinesp.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e apinesp.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
apinesp.exepid process 560 apinesp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
apinesp.exedescription pid process Token: SeDebugPrivilege 560 apinesp.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cedb5a09e7240ec72c1e390c910f7d4f.exedescription pid process target process PID 2024 wrote to memory of 560 2024 cedb5a09e7240ec72c1e390c910f7d4f.exe apinesp.exe PID 2024 wrote to memory of 560 2024 cedb5a09e7240ec72c1e390c910f7d4f.exe apinesp.exe PID 2024 wrote to memory of 560 2024 cedb5a09e7240ec72c1e390c910f7d4f.exe apinesp.exe PID 2024 wrote to memory of 560 2024 cedb5a09e7240ec72c1e390c910f7d4f.exe apinesp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cedb5a09e7240ec72c1e390c910f7d4f.exe"C:\Users\Admin\AppData\Local\Temp\cedb5a09e7240ec72c1e390c910f7d4f.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\hyperc\apinesp.exeapinesp.exe2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\hyperc\apinesp.exeMD5
80be2cb2a90aa45b243abf22a04985bd
SHA1286c7746f725429bfff7994aa79046a114edfce3
SHA2564da095e0a59cecad3fbfc6fa4f33c00e71edc9fffae041a521552390825732f7
SHA512112b8c0505a91aeab9d99f74e2d4f73fa4fb939e7f209fe7ba0119f08b8fa6c9792e8f1e3467a0e5694b0c692b8dcff8ae800cab7312ce4fbd7dc60d47fa27c3
-
\Users\Admin\AppData\Roaming\hyperc\apinesp.exeMD5
80be2cb2a90aa45b243abf22a04985bd
SHA1286c7746f725429bfff7994aa79046a114edfce3
SHA2564da095e0a59cecad3fbfc6fa4f33c00e71edc9fffae041a521552390825732f7
SHA512112b8c0505a91aeab9d99f74e2d4f73fa4fb939e7f209fe7ba0119f08b8fa6c9792e8f1e3467a0e5694b0c692b8dcff8ae800cab7312ce4fbd7dc60d47fa27c3
-
\Users\Admin\AppData\Roaming\hyperc\apinesp.exeMD5
80be2cb2a90aa45b243abf22a04985bd
SHA1286c7746f725429bfff7994aa79046a114edfce3
SHA2564da095e0a59cecad3fbfc6fa4f33c00e71edc9fffae041a521552390825732f7
SHA512112b8c0505a91aeab9d99f74e2d4f73fa4fb939e7f209fe7ba0119f08b8fa6c9792e8f1e3467a0e5694b0c692b8dcff8ae800cab7312ce4fbd7dc60d47fa27c3
-
memory/560-67-0x00000000003B0000-0x00000000003E0000-memory.dmpFilesize
192KB
-
memory/560-65-0x0000000000000000-mapping.dmp
-
memory/560-68-0x0000000000400000-0x0000000001D9A000-memory.dmpFilesize
25.6MB
-
memory/560-69-0x0000000003570000-0x000000000358F000-memory.dmpFilesize
124KB
-
memory/560-70-0x0000000006261000-0x0000000006262000-memory.dmpFilesize
4KB
-
memory/560-72-0x0000000006263000-0x0000000006264000-memory.dmpFilesize
4KB
-
memory/560-71-0x0000000006262000-0x0000000006263000-memory.dmpFilesize
4KB
-
memory/560-73-0x0000000003980000-0x000000000399E000-memory.dmpFilesize
120KB
-
memory/560-74-0x0000000006264000-0x0000000006266000-memory.dmpFilesize
8KB
-
memory/2024-62-0x0000000000400000-0x000000000058D000-memory.dmpFilesize
1.6MB
-
memory/2024-60-0x00000000760B1000-0x00000000760B3000-memory.dmpFilesize
8KB
-
memory/2024-61-0x0000000000590000-0x000000000065E000-memory.dmpFilesize
824KB