Analysis
-
max time kernel
54s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-09-2021 02:02
Static task
static1
General
-
Target
2c45d21de9caa436bc296e99df8a8409c0aea3126e3f125abafb036a4124c642.exe
-
Size
565KB
-
MD5
fe4a7ad6dbe0a0ae9c148de33f50802b
-
SHA1
b0b959e0bd284bd45eb7492d51b3e189ec5dd402
-
SHA256
2c45d21de9caa436bc296e99df8a8409c0aea3126e3f125abafb036a4124c642
-
SHA512
c6b1ec7cb76ad77a1f0be4e5b3c692a8981a7116f68b81d1d0c3bba9130ffe26aca8d1aa09b14868910cbd0a61ce853f8aeb77743f54f23427d6c85b1c4c7b64
Malware Config
Extracted
redline
15.09
185.215.113.17:48236
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1208-122-0x00000000021D0000-0x00000000021EF000-memory.dmp family_redline behavioral1/memory/1208-126-0x00000000024E0000-0x00000000024FE000-memory.dmp family_redline -
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
lipstersh.exepid process 1208 lipstersh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2c45d21de9caa436bc296e99df8a8409c0aea3126e3f125abafb036a4124c642.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2c45d21de9caa436bc296e99df8a8409c0aea3126e3f125abafb036a4124c642.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2c45d21de9caa436bc296e99df8a8409c0aea3126e3f125abafb036a4124c642.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
lipstersh.exepid process 1208 lipstersh.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
lipstersh.exedescription pid process Token: SeDebugPrivilege 1208 lipstersh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2c45d21de9caa436bc296e99df8a8409c0aea3126e3f125abafb036a4124c642.exedescription pid process target process PID 992 wrote to memory of 1208 992 2c45d21de9caa436bc296e99df8a8409c0aea3126e3f125abafb036a4124c642.exe lipstersh.exe PID 992 wrote to memory of 1208 992 2c45d21de9caa436bc296e99df8a8409c0aea3126e3f125abafb036a4124c642.exe lipstersh.exe PID 992 wrote to memory of 1208 992 2c45d21de9caa436bc296e99df8a8409c0aea3126e3f125abafb036a4124c642.exe lipstersh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c45d21de9caa436bc296e99df8a8409c0aea3126e3f125abafb036a4124c642.exe"C:\Users\Admin\AppData\Local\Temp\2c45d21de9caa436bc296e99df8a8409c0aea3126e3f125abafb036a4124c642.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wushup\lipstersh.exelipstersh.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\wushup\lipstersh.exeMD5
2e86ae6eb7d98ccfa1c9433f77baac74
SHA177f47fad5da023c8775496b442666d90dcc5d493
SHA2561566629c1522ed8c33bdf8d6cf525d0611994d45d533ba493b6133b27b668c71
SHA512c3c64a68c992bc24cda82c2115301c5ced2faa3c35b0eecc466d0a6464fd3eecca660779570fe06b30ef7cfbc1957020cf1789eae1a237afdda2da587c06327a
-
C:\Users\Admin\AppData\Roaming\wushup\lipstersh.exeMD5
2e86ae6eb7d98ccfa1c9433f77baac74
SHA177f47fad5da023c8775496b442666d90dcc5d493
SHA2561566629c1522ed8c33bdf8d6cf525d0611994d45d533ba493b6133b27b668c71
SHA512c3c64a68c992bc24cda82c2115301c5ced2faa3c35b0eecc466d0a6464fd3eecca660779570fe06b30ef7cfbc1957020cf1789eae1a237afdda2da587c06327a
-
memory/992-115-0x0000000000400000-0x00000000021AB000-memory.dmpFilesize
29.7MB
-
memory/992-114-0x0000000003DE0000-0x0000000003EAD000-memory.dmpFilesize
820KB
-
memory/1208-126-0x00000000024E0000-0x00000000024FE000-memory.dmpFilesize
120KB
-
memory/1208-129-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/1208-119-0x00000000001C0000-0x00000000001F0000-memory.dmpFilesize
192KB
-
memory/1208-121-0x00000000024C0000-0x00000000024C1000-memory.dmpFilesize
4KB
-
memory/1208-122-0x00000000021D0000-0x00000000021EF000-memory.dmpFilesize
124KB
-
memory/1208-123-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/1208-124-0x00000000024C2000-0x00000000024C3000-memory.dmpFilesize
4KB
-
memory/1208-125-0x00000000024C3000-0x00000000024C4000-memory.dmpFilesize
4KB
-
memory/1208-116-0x0000000000000000-mapping.dmp
-
memory/1208-127-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/1208-128-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/1208-120-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1208-130-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/1208-131-0x00000000024C4000-0x00000000024C6000-memory.dmpFilesize
8KB
-
memory/1208-132-0x0000000005860000-0x0000000005861000-memory.dmpFilesize
4KB
-
memory/1208-133-0x0000000006A80000-0x0000000006A81000-memory.dmpFilesize
4KB
-
memory/1208-134-0x0000000006C50000-0x0000000006C51000-memory.dmpFilesize
4KB
-
memory/1208-135-0x0000000007270000-0x0000000007271000-memory.dmpFilesize
4KB
-
memory/1208-136-0x00000000075D0000-0x00000000075D1000-memory.dmpFilesize
4KB
-
memory/1208-137-0x0000000007670000-0x0000000007671000-memory.dmpFilesize
4KB
-
memory/1208-138-0x0000000006030000-0x0000000006031000-memory.dmpFilesize
4KB