Analysis

  • max time kernel
    155s
  • max time network
    166s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    05-10-2021 14:29

General

  • Target

    a93c39e88748ae1c58bc46449d76159b958d2c0233f6709d13ea71f8f13a42a4.exe

  • Size

    1.8MB

  • MD5

    26ac6f38b111522b7802b03d1fa93e5f

  • SHA1

    a3f0455e91db6a4f4dea25752eb0074917f50d33

  • SHA256

    a93c39e88748ae1c58bc46449d76159b958d2c0233f6709d13ea71f8f13a42a4

  • SHA512

    6c809cb685b29621442329c6482882406e6609516cdc4834dad3e3409c8f2a06cbc48b91a2a34d66b0e49ae9180f9ffc1a9a9312479f8694fdc7eb1ca0710e8e

Malware Config

Extracted

Family

redline

Botnet

new1

C2

185.180.220.105:11915

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a93c39e88748ae1c58bc46449d76159b958d2c0233f6709d13ea71f8f13a42a4.exe
    "C:\Users\Admin\AppData\Local\Temp\a93c39e88748ae1c58bc46449d76159b958d2c0233f6709d13ea71f8f13a42a4.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:364
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:1284

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exe
      MD5

      4da64a00d7ff89c04d675f50c32ee458

      SHA1

      505f39f4039bf5cba0009ea7b7d856f57d31a592

      SHA256

      610c668380bad93964320bea5957b4c08861e277abc78230a770ad45194905b3

      SHA512

      d38b6c1aea8763bdfc4e5cbaab8d65a74cf3bdf4d4230efc7005416a58f83742df46b213b91a83967aeb6d9dfccaa038adbf6001569e520b26373fa8f00ab9f4

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exe
      MD5

      4da64a00d7ff89c04d675f50c32ee458

      SHA1

      505f39f4039bf5cba0009ea7b7d856f57d31a592

      SHA256

      610c668380bad93964320bea5957b4c08861e277abc78230a770ad45194905b3

      SHA512

      d38b6c1aea8763bdfc4e5cbaab8d65a74cf3bdf4d4230efc7005416a58f83742df46b213b91a83967aeb6d9dfccaa038adbf6001569e520b26373fa8f00ab9f4

    • memory/364-116-0x0000000000000000-mapping.dmp
    • memory/1284-127-0x00000000051C0000-0x00000000051C1000-memory.dmp
      Filesize

      4KB

    • memory/1284-124-0x000000000076C5F2-mapping.dmp
    • memory/1284-125-0x0000000000750000-0x0000000000751000-memory.dmp
      Filesize

      4KB

    • memory/1284-119-0x0000000000750000-0x00000000007A6000-memory.dmp
      Filesize

      344KB

    • memory/1284-128-0x0000000005CD0000-0x0000000005CD1000-memory.dmp
      Filesize

      4KB

    • memory/1284-129-0x0000000004D70000-0x0000000004D71000-memory.dmp
      Filesize

      4KB

    • memory/1284-130-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
      Filesize

      4KB

    • memory/1284-131-0x0000000005A50000-0x0000000005A51000-memory.dmp
      Filesize

      4KB

    • memory/1284-132-0x0000000005060000-0x0000000005061000-memory.dmp
      Filesize

      4KB

    • memory/1284-133-0x0000000005B60000-0x0000000005B61000-memory.dmp
      Filesize

      4KB

    • memory/1284-134-0x0000000004CC0000-0x00000000051BE000-memory.dmp
      Filesize

      5.0MB