Overview

overview

10

Static

static

1330be0f94...0e.exe

windows7_x64

10

1330be0f94...0e.exe

windows10_x64

10

Analysis

  • max time kernel
    114s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    01-10-2021 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1330be0f9459506cfd3d972082f3cb0e.exe

  • Size

    1.3MB

  • MD5

    1330be0f9459506cfd3d972082f3cb0e

  • SHA1

    116815a43e5d9c6ae9dc998e93948e274209711a

  • SHA256

    c0da5841ddfc29dc9eea7d8d9e42d981385602f21025ec47798d302c3ef50096

  • SHA512

    0d865e09ca6ab65f617ad43d7badfbd80db79354e73178555ea2a37d9a51f40db94f7ff3c791b00da8ff84c91397a761d03b06ddac787f162b8edc23eabda1bc

Score
10/10
redlinenew1infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

new1

C2

185.180.220.105:11915

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1330be0f9459506cfd3d972082f3cb0e.exe
    "C:\Users\Admin\AppData\Local\Temp\1330be0f9459506cfd3d972082f3cb0e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exe
    MD5

    4da64a00d7ff89c04d675f50c32ee458

    SHA1

    505f39f4039bf5cba0009ea7b7d856f57d31a592

    SHA256

    610c668380bad93964320bea5957b4c08861e277abc78230a770ad45194905b3

    SHA512

    d38b6c1aea8763bdfc4e5cbaab8d65a74cf3bdf4d4230efc7005416a58f83742df46b213b91a83967aeb6d9dfccaa038adbf6001569e520b26373fa8f00ab9f4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exe
    MD5

    4da64a00d7ff89c04d675f50c32ee458

    SHA1

    505f39f4039bf5cba0009ea7b7d856f57d31a592

    SHA256

    610c668380bad93964320bea5957b4c08861e277abc78230a770ad45194905b3

    SHA512

    d38b6c1aea8763bdfc4e5cbaab8d65a74cf3bdf4d4230efc7005416a58f83742df46b213b91a83967aeb6d9dfccaa038adbf6001569e520b26373fa8f00ab9f4

    Download Submit
  • memory/2272-117-0x0000000000000000-mapping.dmp
    Download
  • memory/2768-132-0x0000000005310000-0x0000000005311000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2768-134-0x0000000007070000-0x0000000007071000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2768-126-0x0000000000400000-0x0000000000401000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2768-128-0x0000000004E10000-0x0000000004E11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2768-129-0x0000000005920000-0x0000000005921000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2768-130-0x0000000004A80000-0x0000000004A81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2768-131-0x0000000004A30000-0x0000000004A31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2768-120-0x0000000000400000-0x0000000000456000-memory.dmp
    Filesize

    344KB

    Download
  • memory/2768-133-0x00000000057B0000-0x00000000057B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2768-125-0x000000000041C5F2-mapping.dmp
    Download
  • memory/2768-135-0x0000000004910000-0x0000000004E0E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2768-136-0x0000000007EF0000-0x0000000007EF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2768-137-0x00000000085F0000-0x00000000085F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2768-138-0x00000000080C0000-0x00000000080C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2768-139-0x0000000008160000-0x0000000008161000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2768-140-0x0000000008460000-0x0000000008461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2768-141-0x0000000008B70000-0x0000000008B71000-memory.dmp
    Filesize

    4KB

    Download