Overview

overview

10

Static

static

71a395e91c...94.exe

windows7_x64

10

71a395e91c...94.exe

windows10_x64

10

Analysis

  • max time kernel
    106s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    26-09-2021 20:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    71a395e91c86b4636cbdc5a962373294.exe

  • Size

    661KB

  • MD5

    71a395e91c86b4636cbdc5a962373294

  • SHA1

    33798cff60d6228d9194df5f60bfca5e6be11179

  • SHA256

    150708169937ab48a2299f0e19112fdb01efd0233b984d85b647d96d06391bc5

  • SHA512

    bf31795274e03a780c52cfa0214748cc12ce60462fcea295c739930111b818a6c1c904e50219d13cec86643eed7acf2b0b01493ac61add0806e952caaa4cb80f

Score
10/10
redlinekanuckkdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

Kanuckk

C2

205.185.123.105:20035

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71a395e91c86b4636cbdc5a962373294.exe
    "C:\Users\Admin\AppData\Local\Temp\71a395e91c86b4636cbdc5a962373294.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\71a395e91c86b4636cbdc5a962373294.exe
      "C:\Users\Admin\AppData\Local\Temp\71a395e91c86b4636cbdc5a962373294.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1720
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 600
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1256

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1212-53-0x0000000001050000-0x0000000001051000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1212-54-0x0000000000360000-0x0000000000378000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1212-57-0x00000000003A0000-0x00000000003A3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1212-60-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1256-62-0x0000000000000000-mapping.dmp

    Download

  • memory/1256-63-0x0000000000C60000-0x0000000000C61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-55-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1720-56-0x000000000041C5EA-mapping.dmp

    Download

  • memory/1720-58-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1720-61-0x0000000004B10000-0x0000000004B11000-memory.dmp

    Filesize

    4KB

    Download