Analysis
-
max time kernel
114s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
01-10-2021 06:02
Static task
static1
Behavioral task
behavioral1
Sample
1330be0f9459506cfd3d972082f3cb0e.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1330be0f9459506cfd3d972082f3cb0e.exe
Resource
win10-en-20210920
General
-
Target
1330be0f9459506cfd3d972082f3cb0e.exe
-
Size
1.3MB
-
MD5
1330be0f9459506cfd3d972082f3cb0e
-
SHA1
116815a43e5d9c6ae9dc998e93948e274209711a
-
SHA256
c0da5841ddfc29dc9eea7d8d9e42d981385602f21025ec47798d302c3ef50096
-
SHA512
0d865e09ca6ab65f617ad43d7badfbd80db79354e73178555ea2a37d9a51f40db94f7ff3c791b00da8ff84c91397a761d03b06ddac787f162b8edc23eabda1bc
Malware Config
Extracted
redline
new1
185.180.220.105:11915
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2768-120-0x0000000000400000-0x0000000000456000-memory.dmp family_redline behavioral2/memory/2768-125-0x000000000041C5F2-mapping.dmp family_redline behavioral2/memory/2768-135-0x0000000004910000-0x0000000004E0E000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
foto.exepid process 2272 foto.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
foto.exedescription pid process target process PID 2272 set thread context of 2768 2272 foto.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2768 RegSvcs.exe 2768 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2768 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1330be0f9459506cfd3d972082f3cb0e.exefoto.exedescription pid process target process PID 1812 wrote to memory of 2272 1812 1330be0f9459506cfd3d972082f3cb0e.exe foto.exe PID 1812 wrote to memory of 2272 1812 1330be0f9459506cfd3d972082f3cb0e.exe foto.exe PID 1812 wrote to memory of 2272 1812 1330be0f9459506cfd3d972082f3cb0e.exe foto.exe PID 2272 wrote to memory of 2768 2272 foto.exe RegSvcs.exe PID 2272 wrote to memory of 2768 2272 foto.exe RegSvcs.exe PID 2272 wrote to memory of 2768 2272 foto.exe RegSvcs.exe PID 2272 wrote to memory of 2768 2272 foto.exe RegSvcs.exe PID 2272 wrote to memory of 2768 2272 foto.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1330be0f9459506cfd3d972082f3cb0e.exe"C:\Users\Admin\AppData\Local\Temp\1330be0f9459506cfd3d972082f3cb0e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exeMD5
4da64a00d7ff89c04d675f50c32ee458
SHA1505f39f4039bf5cba0009ea7b7d856f57d31a592
SHA256610c668380bad93964320bea5957b4c08861e277abc78230a770ad45194905b3
SHA512d38b6c1aea8763bdfc4e5cbaab8d65a74cf3bdf4d4230efc7005416a58f83742df46b213b91a83967aeb6d9dfccaa038adbf6001569e520b26373fa8f00ab9f4
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exeMD5
4da64a00d7ff89c04d675f50c32ee458
SHA1505f39f4039bf5cba0009ea7b7d856f57d31a592
SHA256610c668380bad93964320bea5957b4c08861e277abc78230a770ad45194905b3
SHA512d38b6c1aea8763bdfc4e5cbaab8d65a74cf3bdf4d4230efc7005416a58f83742df46b213b91a83967aeb6d9dfccaa038adbf6001569e520b26373fa8f00ab9f4
-
memory/2272-117-0x0000000000000000-mapping.dmp
-
memory/2768-132-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/2768-134-0x0000000007070000-0x0000000007071000-memory.dmpFilesize
4KB
-
memory/2768-126-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/2768-128-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/2768-129-0x0000000005920000-0x0000000005921000-memory.dmpFilesize
4KB
-
memory/2768-130-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/2768-131-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/2768-120-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2768-133-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/2768-125-0x000000000041C5F2-mapping.dmp
-
memory/2768-135-0x0000000004910000-0x0000000004E0E000-memory.dmpFilesize
5.0MB
-
memory/2768-136-0x0000000007EF0000-0x0000000007EF1000-memory.dmpFilesize
4KB
-
memory/2768-137-0x00000000085F0000-0x00000000085F1000-memory.dmpFilesize
4KB
-
memory/2768-138-0x00000000080C0000-0x00000000080C1000-memory.dmpFilesize
4KB
-
memory/2768-139-0x0000000008160000-0x0000000008161000-memory.dmpFilesize
4KB
-
memory/2768-140-0x0000000008460000-0x0000000008461000-memory.dmpFilesize
4KB
-
memory/2768-141-0x0000000008B70000-0x0000000008B71000-memory.dmpFilesize
4KB