Overview

overview

10

Static

static

1

2A8ADC026B...10.exe

windows7_x64

10

2A8ADC026B...10.exe

windows10_x64

10

Analysis

  • max time kernel
    123s
  • max time network
    116s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    26-09-2021 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2A8ADC026B83F069E081F2CA587B3210.exe

  • Size

    1.1MB

  • MD5

    2a8adc026b83f069e081f2ca587b3210

  • SHA1

    145a5f9a6577cb906ab6f6dfb66dfc1ac9d1c964

  • SHA256

    333c439b7d052386c9060edb4c2b091589c8740bfb9e74c431b3746d4f7b1af9

  • SHA512

    870394113132df36002f2b0ddc31e7e5283ef8e96c7cbc5444a0b04dd82a4f68ac1290899ddd22231a61e45a54a4f0314d9fd1fe02f2dbb00bfd89b0bbfc27dd

Score
10/10
redline7discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

7

C2

185.183.98.2:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2A8ADC026B83F069E081F2CA587B3210.exe
    "C:\Users\Admin\AppData\Local\Temp\2A8ADC026B83F069E081F2CA587B3210.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3704
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c cmd < Essendosi.dot
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4176
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4316
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^MownSQgCPuLHWmIqWzHUkrmFXfwqDzhgFgBiLScpipcbLfwKQhZKSNxIJcADPhYvTvwIXAftYbMeHwUIgsldzCvSTSnfaRxTlZEfgaMdXVMxqawIBRfbrIedqpO$" Trasporta.dot
          4⤵
            PID:3100
          • C:\Users\Admin\AppData\Roaming\Lei.exe.com
            Lei.exe.com R
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3940
            • C:\Users\Admin\AppData\Roaming\Lei.exe.com
              C:\Users\Admin\AppData\Roaming\Lei.exe.com R
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4464
              • C:\Users\Admin\AppData\Roaming\RegAsm.exe
                C:\Users\Admin\AppData\Roaming\RegAsm.exe
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4480
          • C:\Windows\SysWOW64\PING.EXE
            ping localhost
            4⤵
            • Runs ping.exe
            PID:4064

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Animatrici.dot
      MD5

      bfcc91b114b9a21004b6d03632cf342d

      SHA1

      b70bbceafd65750e0804a92315665f8bcec55d0a

      SHA256

      080767a753d2ac6179cecc98c3d24fc80866fa12a7be8532ea1dedbd894b878a

      SHA512

      75278ee209936425511ccaf4566281bac5b0fb4ec24e92b63442f38c77f9ad1efd55d8c3eace37c6246a010964acaa1e1fe9e31c71c1bccbf481eac1fc733dda

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Essendosi.dot
      MD5

      63d201529eca3c4dafcf802e0e785a43

      SHA1

      487add411922b03a24428f4209ac3403228cbd27

      SHA256

      23e2d51c2b1acfbbe8622b00e987e1581e956840bc3e502c00da38928596090e

      SHA512

      128a4aeeca73c79046c56a0627fb3450cdbe1daa18e5113ca893d659550503bec5a06fc5c06f484c5ac906c4bea1dee2df61e7384915fc23923ad471c09824ec

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Lei.exe.com
      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Lei.exe.com
      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit
    • C:\Users\Admin\AppData\Roaming\R
      MD5

      610e041e78e0e6474ce9f01f547deecb

      SHA1

      b2776e0b26045f5d5af062a300ec75c9ada67131

      SHA256

      4807b57e34f39d06159fb59d34ba3094df37e73724e2a8e665e722c9793b0cb4

      SHA512

      7e985214a838802cfd75c36be449a88595c922b5be6b9f84517a02524bcc5f973d4641831dde1191e6d761ac540abca05ba99aa9d797b9cdfbaa6f13482c84c6

      Download Submit
    • C:\Users\Admin\AppData\Roaming\RegAsm.exe
      MD5

      b58b926c3574d28d5b7fdd2ca3ec30d5

      SHA1

      d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

      SHA256

      6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

      SHA512

      b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

      Download Submit
    • C:\Users\Admin\AppData\Roaming\RegAsm.exe
      MD5

      b58b926c3574d28d5b7fdd2ca3ec30d5

      SHA1

      d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

      SHA256

      6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

      SHA512

      b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Rinunzia.dot
      MD5

      610e041e78e0e6474ce9f01f547deecb

      SHA1

      b2776e0b26045f5d5af062a300ec75c9ada67131

      SHA256

      4807b57e34f39d06159fb59d34ba3094df37e73724e2a8e665e722c9793b0cb4

      SHA512

      7e985214a838802cfd75c36be449a88595c922b5be6b9f84517a02524bcc5f973d4641831dde1191e6d761ac540abca05ba99aa9d797b9cdfbaa6f13482c84c6

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Trasporta.dot
      MD5

      8f719e55dd361037400724fd9578f260

      SHA1

      4c1a2335ae5ae5ef6eee0257727d632d1adc80ba

      SHA256

      f6dda29c4fdf6fdffa73b25ef1bcc2acc778bbbb9f4375316c3f46832d335053

      SHA512

      cebd5d62fc91a86638b5c5c22c1f99da83137636275901f79228f013cc5fc423f0bdcfa1bb29ef46508e5e3cb19ba32813f0a9270ca4f8d4468a70982b7187e3

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsc8043.tmp\nsExec.dll
      MD5

      09c2e27c626d6f33018b8a34d3d98cb6

      SHA1

      8d6bf50218c8f201f06ecf98ca73b74752a2e453

      SHA256

      114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

      SHA512

      883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

      Download Submit
    • memory/3100-119-0x0000000000000000-mapping.dmp
      Download
    • memory/3940-122-0x0000000000000000-mapping.dmp
      Download
    • memory/4064-124-0x0000000000000000-mapping.dmp
      Download
    • memory/4176-116-0x0000000000000000-mapping.dmp
      Download
    • memory/4316-118-0x0000000000000000-mapping.dmp
      Download
    • memory/4464-126-0x0000000000000000-mapping.dmp
      Download
    • memory/4464-129-0x0000000000F20000-0x0000000000F21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4480-135-0x0000000005400000-0x0000000005401000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4480-141-0x0000000006630000-0x0000000006631000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4480-136-0x0000000004E50000-0x0000000004E51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4480-137-0x0000000004F80000-0x0000000004F81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4480-138-0x0000000004EB0000-0x0000000004EB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4480-139-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4480-140-0x0000000004DF0000-0x00000000053F6000-memory.dmp
      Filesize

      6.0MB

      Download
    • memory/4480-130-0x0000000000A00000-0x0000000000A22000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4480-142-0x0000000006D30000-0x0000000006D31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4480-143-0x0000000006800000-0x0000000006801000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4480-144-0x0000000007760000-0x0000000007761000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4480-145-0x0000000006A10000-0x0000000006A11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4480-146-0x0000000006B30000-0x0000000006B31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4480-147-0x0000000006B10000-0x0000000006B11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4480-148-0x00000000073E0000-0x00000000073E1000-memory.dmp
      Filesize

      4KB

      Download