Analysis
-
max time kernel
85s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-09-2021 15:01
General
-
Target
E945.exe
-
Size
780KB
-
MD5
b2d8e3fc81ee69664d1221439ffd9ee8
-
SHA1
c325fe65f692c8ee023f12f41cbb0663d658b917
-
SHA256
2532854386c2ac90a742a4cb593fa2502f261ff2909444de7415ea175285b89b
-
SHA512
d31b225f989b75c02e09660aa5ec70e6a92b901567c823b38a726ed9735d60df755fbd9f80fb12a34e835253707a3ba8e0318f233b54794e55b79f785287976f
Malware Config
Extracted
redline
Bliss
185.237.98.178:62607
Extracted
redline
karma
94.103.9.133:39323
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
Chinese Botnet Payload 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\E945.exe"C:\Users\Admin\AppData\Local\Temp\E945.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SindonsWelfare_2021-09-26_15-02.exe"C:\Users\Admin\AppData\Local\Temp\SindonsWelfare_2021-09-26_15-02.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SolanumsYoghurt_2021-09-26_14-52.exe"C:\Users\Admin\AppData\Local\Temp\SolanumsYoghurt_2021-09-26_14-52.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\fbf.exe"C:\Users\Admin\AppData\Local\Temp\fbf.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
-
Filesize
784KB
-
Filesize
752KB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
788KB
-
Filesize
4KB
-
Filesize
812KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
220KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
140KB
-
Filesize
4KB