Analysis
-
max time kernel
123s -
max time network
116s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 19:04
Static task
static1
Behavioral task
behavioral1
Sample
2A8ADC026B83F069E081F2CA587B3210.exe
Resource
win7-en-20210920
General
-
Target
2A8ADC026B83F069E081F2CA587B3210.exe
-
Size
1.1MB
-
MD5
2a8adc026b83f069e081f2ca587b3210
-
SHA1
145a5f9a6577cb906ab6f6dfb66dfc1ac9d1c964
-
SHA256
333c439b7d052386c9060edb4c2b091589c8740bfb9e74c431b3746d4f7b1af9
-
SHA512
870394113132df36002f2b0ddc31e7e5283ef8e96c7cbc5444a0b04dd82a4f68ac1290899ddd22231a61e45a54a4f0314d9fd1fe02f2dbb00bfd89b0bbfc27dd
Malware Config
Extracted
redline
7
185.183.98.2:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4480-130-0x0000000000A00000-0x0000000000A22000-memory.dmp family_redline behavioral2/memory/4480-140-0x0000000004DF0000-0x00000000053F6000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
Lei.exe.comLei.exe.comRegAsm.exepid process 3940 Lei.exe.com 4464 Lei.exe.com 4480 RegAsm.exe -
Loads dropped DLL 1 IoCs
Processes:
2A8ADC026B83F069E081F2CA587B3210.exepid process 3704 2A8ADC026B83F069E081F2CA587B3210.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Lei.exe.comdescription pid process target process PID 4464 set thread context of 4480 4464 Lei.exe.com RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 4480 RegAsm.exe 4480 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 4480 RegAsm.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
2A8ADC026B83F069E081F2CA587B3210.execmd.execmd.exeLei.exe.comLei.exe.comdescription pid process target process PID 3704 wrote to memory of 4176 3704 2A8ADC026B83F069E081F2CA587B3210.exe cmd.exe PID 3704 wrote to memory of 4176 3704 2A8ADC026B83F069E081F2CA587B3210.exe cmd.exe PID 3704 wrote to memory of 4176 3704 2A8ADC026B83F069E081F2CA587B3210.exe cmd.exe PID 4176 wrote to memory of 4316 4176 cmd.exe cmd.exe PID 4176 wrote to memory of 4316 4176 cmd.exe cmd.exe PID 4176 wrote to memory of 4316 4176 cmd.exe cmd.exe PID 4316 wrote to memory of 3100 4316 cmd.exe findstr.exe PID 4316 wrote to memory of 3100 4316 cmd.exe findstr.exe PID 4316 wrote to memory of 3100 4316 cmd.exe findstr.exe PID 4316 wrote to memory of 3940 4316 cmd.exe Lei.exe.com PID 4316 wrote to memory of 3940 4316 cmd.exe Lei.exe.com PID 4316 wrote to memory of 3940 4316 cmd.exe Lei.exe.com PID 4316 wrote to memory of 4064 4316 cmd.exe PING.EXE PID 4316 wrote to memory of 4064 4316 cmd.exe PING.EXE PID 4316 wrote to memory of 4064 4316 cmd.exe PING.EXE PID 3940 wrote to memory of 4464 3940 Lei.exe.com Lei.exe.com PID 3940 wrote to memory of 4464 3940 Lei.exe.com Lei.exe.com PID 3940 wrote to memory of 4464 3940 Lei.exe.com Lei.exe.com PID 4464 wrote to memory of 4480 4464 Lei.exe.com RegAsm.exe PID 4464 wrote to memory of 4480 4464 Lei.exe.com RegAsm.exe PID 4464 wrote to memory of 4480 4464 Lei.exe.com RegAsm.exe PID 4464 wrote to memory of 4480 4464 Lei.exe.com RegAsm.exe PID 4464 wrote to memory of 4480 4464 Lei.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2A8ADC026B83F069E081F2CA587B3210.exe"C:\Users\Admin\AppData\Local\Temp\2A8ADC026B83F069E081F2CA587B3210.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c cmd < Essendosi.dot2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^MownSQgCPuLHWmIqWzHUkrmFXfwqDzhgFgBiLScpipcbLfwKQhZKSNxIJcADPhYvTvwIXAftYbMeHwUIgsldzCvSTSnfaRxTlZEfgaMdXVMxqawIBRfbrIedqpO$" Trasporta.dot4⤵
-
C:\Users\Admin\AppData\Roaming\Lei.exe.comLei.exe.com R4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Lei.exe.comC:\Users\Admin\AppData\Roaming\Lei.exe.com R5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegAsm.exeC:\Users\Admin\AppData\Roaming\RegAsm.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping localhost4⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Animatrici.dotMD5
bfcc91b114b9a21004b6d03632cf342d
SHA1b70bbceafd65750e0804a92315665f8bcec55d0a
SHA256080767a753d2ac6179cecc98c3d24fc80866fa12a7be8532ea1dedbd894b878a
SHA51275278ee209936425511ccaf4566281bac5b0fb4ec24e92b63442f38c77f9ad1efd55d8c3eace37c6246a010964acaa1e1fe9e31c71c1bccbf481eac1fc733dda
-
C:\Users\Admin\AppData\Roaming\Essendosi.dotMD5
63d201529eca3c4dafcf802e0e785a43
SHA1487add411922b03a24428f4209ac3403228cbd27
SHA25623e2d51c2b1acfbbe8622b00e987e1581e956840bc3e502c00da38928596090e
SHA512128a4aeeca73c79046c56a0627fb3450cdbe1daa18e5113ca893d659550503bec5a06fc5c06f484c5ac906c4bea1dee2df61e7384915fc23923ad471c09824ec
-
C:\Users\Admin\AppData\Roaming\Lei.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Roaming\Lei.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Roaming\RMD5
610e041e78e0e6474ce9f01f547deecb
SHA1b2776e0b26045f5d5af062a300ec75c9ada67131
SHA2564807b57e34f39d06159fb59d34ba3094df37e73724e2a8e665e722c9793b0cb4
SHA5127e985214a838802cfd75c36be449a88595c922b5be6b9f84517a02524bcc5f973d4641831dde1191e6d761ac540abca05ba99aa9d797b9cdfbaa6f13482c84c6
-
C:\Users\Admin\AppData\Roaming\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\Rinunzia.dotMD5
610e041e78e0e6474ce9f01f547deecb
SHA1b2776e0b26045f5d5af062a300ec75c9ada67131
SHA2564807b57e34f39d06159fb59d34ba3094df37e73724e2a8e665e722c9793b0cb4
SHA5127e985214a838802cfd75c36be449a88595c922b5be6b9f84517a02524bcc5f973d4641831dde1191e6d761ac540abca05ba99aa9d797b9cdfbaa6f13482c84c6
-
C:\Users\Admin\AppData\Roaming\Trasporta.dotMD5
8f719e55dd361037400724fd9578f260
SHA14c1a2335ae5ae5ef6eee0257727d632d1adc80ba
SHA256f6dda29c4fdf6fdffa73b25ef1bcc2acc778bbbb9f4375316c3f46832d335053
SHA512cebd5d62fc91a86638b5c5c22c1f99da83137636275901f79228f013cc5fc423f0bdcfa1bb29ef46508e5e3cb19ba32813f0a9270ca4f8d4468a70982b7187e3
-
\Users\Admin\AppData\Local\Temp\nsc8043.tmp\nsExec.dllMD5
09c2e27c626d6f33018b8a34d3d98cb6
SHA18d6bf50218c8f201f06ecf98ca73b74752a2e453
SHA256114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1
SHA512883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954
-
memory/3100-119-0x0000000000000000-mapping.dmp
-
memory/3940-122-0x0000000000000000-mapping.dmp
-
memory/4064-124-0x0000000000000000-mapping.dmp
-
memory/4176-116-0x0000000000000000-mapping.dmp
-
memory/4316-118-0x0000000000000000-mapping.dmp
-
memory/4464-126-0x0000000000000000-mapping.dmp
-
memory/4464-129-0x0000000000F20000-0x0000000000F21000-memory.dmpFilesize
4KB
-
memory/4480-135-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/4480-141-0x0000000006630000-0x0000000006631000-memory.dmpFilesize
4KB
-
memory/4480-136-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/4480-137-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/4480-138-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/4480-139-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/4480-140-0x0000000004DF0000-0x00000000053F6000-memory.dmpFilesize
6.0MB
-
memory/4480-130-0x0000000000A00000-0x0000000000A22000-memory.dmpFilesize
136KB
-
memory/4480-142-0x0000000006D30000-0x0000000006D31000-memory.dmpFilesize
4KB
-
memory/4480-143-0x0000000006800000-0x0000000006801000-memory.dmpFilesize
4KB
-
memory/4480-144-0x0000000007760000-0x0000000007761000-memory.dmpFilesize
4KB
-
memory/4480-145-0x0000000006A10000-0x0000000006A11000-memory.dmpFilesize
4KB
-
memory/4480-146-0x0000000006B30000-0x0000000006B31000-memory.dmpFilesize
4KB
-
memory/4480-147-0x0000000006B10000-0x0000000006B11000-memory.dmpFilesize
4KB
-
memory/4480-148-0x00000000073E0000-0x00000000073E1000-memory.dmpFilesize
4KB