Analysis
-
max time kernel
97s -
max time network
107s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-09-2021 12:30
Static task
static1
General
-
Target
bebe442625b617199a99f13540f137dbd9ee63f1ff70adf9b5464c808d342e30.exe
-
Size
560KB
-
MD5
e5d3630e0cdff565691245215cf6540f
-
SHA1
4f3139a1d07509f3cade03655bc08344bc34c79f
-
SHA256
bebe442625b617199a99f13540f137dbd9ee63f1ff70adf9b5464c808d342e30
-
SHA512
00ec20aa89ad6c30b9c6224b2d7de6f2673e5a7bc0d56f887c1d2123ab9faa153afbdb1080072831b3c83414f49fb5348db6951f64077ecb87cda3b64dfa2140
Malware Config
Extracted
redline
mix15.09
185.215.113.15:6043
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3972-119-0x00000000023F0000-0x000000000240F000-memory.dmp family_redline behavioral1/memory/3972-126-0x0000000004AD0000-0x0000000004AEE000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
apinesp.exepid process 3972 apinesp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
bebe442625b617199a99f13540f137dbd9ee63f1ff70adf9b5464c808d342e30.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bebe442625b617199a99f13540f137dbd9ee63f1ff70adf9b5464c808d342e30.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bebe442625b617199a99f13540f137dbd9ee63f1ff70adf9b5464c808d342e30.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
apinesp.exepid process 3972 apinesp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
apinesp.exedescription pid process Token: SeDebugPrivilege 3972 apinesp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bebe442625b617199a99f13540f137dbd9ee63f1ff70adf9b5464c808d342e30.exedescription pid process target process PID 656 wrote to memory of 3972 656 bebe442625b617199a99f13540f137dbd9ee63f1ff70adf9b5464c808d342e30.exe apinesp.exe PID 656 wrote to memory of 3972 656 bebe442625b617199a99f13540f137dbd9ee63f1ff70adf9b5464c808d342e30.exe apinesp.exe PID 656 wrote to memory of 3972 656 bebe442625b617199a99f13540f137dbd9ee63f1ff70adf9b5464c808d342e30.exe apinesp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bebe442625b617199a99f13540f137dbd9ee63f1ff70adf9b5464c808d342e30.exe"C:\Users\Admin\AppData\Local\Temp\bebe442625b617199a99f13540f137dbd9ee63f1ff70adf9b5464c808d342e30.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wushup\apinesp.exeapinesp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\wushup\apinesp.exeMD5
56ce9f55182e2d0a68fc3a5d914695a9
SHA1688b1677fd782f9754be46ed6595b5552892a361
SHA2561f92fcdfb40475f95f044971dbf32a4617d5d02b790a0d6e86b58724783f2eee
SHA512bd952aa8272b20772f9435f4c20455b07815c193cfc3b7a6c3aa805f0386186f7440bd08a3efe0cedf1252fc5f95697e7100fa3639c47d6c540efcdae071fbb7
-
C:\Users\Admin\AppData\Roaming\wushup\apinesp.exeMD5
56ce9f55182e2d0a68fc3a5d914695a9
SHA1688b1677fd782f9754be46ed6595b5552892a361
SHA2561f92fcdfb40475f95f044971dbf32a4617d5d02b790a0d6e86b58724783f2eee
SHA512bd952aa8272b20772f9435f4c20455b07815c193cfc3b7a6c3aa805f0386186f7440bd08a3efe0cedf1252fc5f95697e7100fa3639c47d6c540efcdae071fbb7
-
memory/656-115-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/656-114-0x00000000022F0000-0x00000000023BC000-memory.dmpFilesize
816KB
-
memory/3972-126-0x0000000004AD0000-0x0000000004AEE000-memory.dmpFilesize
120KB
-
memory/3972-129-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/3972-121-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/3972-120-0x00000000005A0000-0x00000000006EA000-memory.dmpFilesize
1.3MB
-
memory/3972-122-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/3972-123-0x0000000004BA2000-0x0000000004BA3000-memory.dmpFilesize
4KB
-
memory/3972-124-0x0000000004BA3000-0x0000000004BA4000-memory.dmpFilesize
4KB
-
memory/3972-125-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/3972-116-0x0000000000000000-mapping.dmp
-
memory/3972-127-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/3972-128-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/3972-119-0x00000000023F0000-0x000000000240F000-memory.dmpFilesize
124KB
-
memory/3972-130-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/3972-131-0x0000000004BA4000-0x0000000004BA6000-memory.dmpFilesize
8KB
-
memory/3972-132-0x0000000005860000-0x0000000005861000-memory.dmpFilesize
4KB
-
memory/3972-133-0x0000000006A80000-0x0000000006A81000-memory.dmpFilesize
4KB
-
memory/3972-134-0x0000000006C50000-0x0000000006C51000-memory.dmpFilesize
4KB
-
memory/3972-135-0x0000000007270000-0x0000000007271000-memory.dmpFilesize
4KB
-
memory/3972-136-0x0000000007390000-0x0000000007391000-memory.dmpFilesize
4KB
-
memory/3972-137-0x0000000007550000-0x0000000007551000-memory.dmpFilesize
4KB
-
memory/3972-138-0x0000000007570000-0x0000000007571000-memory.dmpFilesize
4KB