Analysis
-
max time kernel
35s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
31-08-2021 10:00
Static task
static1
General
-
Target
1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe
-
Size
669KB
-
MD5
05ed63df3b41b74852b191998d06892a
-
SHA1
9ce8a01e8e7e2e314acb3e85414aafcb95cf0066
-
SHA256
1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835
-
SHA512
e28802e4fdf803d9e4ff4d8f5696a0582d96cfe107b7198288e2fd6bd828a77e0fa42df6f3a24688c1b92c119bbd80f828458dd6a705ad3eeb613013efe269b7
Malware Config
Extracted
redline
mix31.08
185.215.113.15:6043
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1248-121-0x0000000003960000-0x000000000397F000-memory.dmp family_redline behavioral1/memory/1248-123-0x0000000003D60000-0x0000000003D7E000-memory.dmp family_redline -
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
apinesp.exepid process 1248 apinesp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
apinesp.exepid process 1248 apinesp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
apinesp.exedescription pid process Token: SeDebugPrivilege 1248 apinesp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exedescription pid process target process PID 804 wrote to memory of 1248 804 1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe apinesp.exe PID 804 wrote to memory of 1248 804 1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe apinesp.exe PID 804 wrote to memory of 1248 804 1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe apinesp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe"C:\Users\Admin\AppData\Local\Temp\1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\hyperc\apinesp.exeapinesp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\hyperc\apinesp.exeMD5
80be2cb2a90aa45b243abf22a04985bd
SHA1286c7746f725429bfff7994aa79046a114edfce3
SHA2564da095e0a59cecad3fbfc6fa4f33c00e71edc9fffae041a521552390825732f7
SHA512112b8c0505a91aeab9d99f74e2d4f73fa4fb939e7f209fe7ba0119f08b8fa6c9792e8f1e3467a0e5694b0c692b8dcff8ae800cab7312ce4fbd7dc60d47fa27c3
-
C:\Users\Admin\AppData\Roaming\hyperc\apinesp.exeMD5
80be2cb2a90aa45b243abf22a04985bd
SHA1286c7746f725429bfff7994aa79046a114edfce3
SHA2564da095e0a59cecad3fbfc6fa4f33c00e71edc9fffae041a521552390825732f7
SHA512112b8c0505a91aeab9d99f74e2d4f73fa4fb939e7f209fe7ba0119f08b8fa6c9792e8f1e3467a0e5694b0c692b8dcff8ae800cab7312ce4fbd7dc60d47fa27c3
-
memory/804-115-0x0000000000400000-0x000000000058E000-memory.dmpFilesize
1.6MB
-
memory/804-114-0x00000000008E0000-0x00000000009AE000-memory.dmpFilesize
824KB
-
memory/1248-125-0x0000000006560000-0x0000000006561000-memory.dmpFilesize
4KB
-
memory/1248-129-0x0000000006410000-0x0000000006411000-memory.dmpFilesize
4KB
-
memory/1248-119-0x0000000001E00000-0x0000000001F4A000-memory.dmpFilesize
1.3MB
-
memory/1248-121-0x0000000003960000-0x000000000397F000-memory.dmpFilesize
124KB
-
memory/1248-122-0x0000000006570000-0x0000000006571000-memory.dmpFilesize
4KB
-
memory/1248-123-0x0000000003D60000-0x0000000003D7E000-memory.dmpFilesize
120KB
-
memory/1248-124-0x0000000006A70000-0x0000000006A71000-memory.dmpFilesize
4KB
-
memory/1248-126-0x0000000006562000-0x0000000006563000-memory.dmpFilesize
4KB
-
memory/1248-116-0x0000000000000000-mapping.dmp
-
memory/1248-127-0x0000000006563000-0x0000000006564000-memory.dmpFilesize
4KB
-
memory/1248-128-0x0000000003E20000-0x0000000003E21000-memory.dmpFilesize
4KB
-
memory/1248-120-0x0000000000400000-0x0000000001D9A000-memory.dmpFilesize
25.6MB
-
memory/1248-130-0x0000000006564000-0x0000000006566000-memory.dmpFilesize
8KB
-
memory/1248-131-0x0000000003E50000-0x0000000003E51000-memory.dmpFilesize
4KB
-
memory/1248-132-0x0000000007080000-0x0000000007081000-memory.dmpFilesize
4KB
-
memory/1248-133-0x0000000008270000-0x0000000008271000-memory.dmpFilesize
4KB
-
memory/1248-134-0x0000000008440000-0x0000000008441000-memory.dmpFilesize
4KB
-
memory/1248-135-0x0000000008A60000-0x0000000008A61000-memory.dmpFilesize
4KB
-
memory/1248-136-0x00000000076C0000-0x00000000076C1000-memory.dmpFilesize
4KB
-
memory/1248-137-0x0000000008E60000-0x0000000008E61000-memory.dmpFilesize
4KB
-
memory/1248-138-0x0000000008E20000-0x0000000008E21000-memory.dmpFilesize
4KB