Analysis
-
max time kernel
57s -
max time network
19s -
platform
windows7_x64 -
resource
win7-de-20210920 -
submitted
20-10-2021 01:01
Static task
static1
Behavioral task
behavioral1
Sample
Redline Stealer 2021 Cracked/Redline_20_2_crack.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
Redline Stealer 2021 Cracked/Redline_20_2_crack.exe
Resource
win7-de-20210920
Behavioral task
behavioral3
Sample
Redline Stealer 2021 Cracked/Redline_20_2_crack.exe
Resource
win11
Behavioral task
behavioral4
Sample
Redline Stealer 2021 Cracked/Redline_20_2_crack.exe
Resource
win10-ja-20211014
Behavioral task
behavioral5
Sample
Redline Stealer 2021 Cracked/Redline_20_2_crack.exe
Resource
win10-en-20210920
Behavioral task
behavioral6
Sample
Redline Stealer 2021 Cracked/Redline_20_2_crack.exe
Resource
win10-de-20211014
General
-
Target
Redline Stealer 2021 Cracked/Redline_20_2_crack.exe
-
Size
15.1MB
-
MD5
083776e54ad37b3a45d7e6516b1e13fb
-
SHA1
e784e8f041dfb7612e8439518ed587f1f878b9eb
-
SHA256
4334163e03a3cae86600be22c3deb8e786142db27883cc99f0536f713621df9d
-
SHA512
0985538bf8c2add2e85ac09e64826e0993fae2b1b4e7643a42f010201e4e8f2065f673a795aa4eabf7bee26709f35fbc84553042f40ce3a2fde96a271c43590c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
crack.exepid process 1860 crack.exe -
Drops startup file 2 IoCs
Processes:
crack.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe crack.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe crack.exe -
Loads dropped DLL 4 IoCs
Processes:
Redline_20_2_crack.exepid process 1308 Redline_20_2_crack.exe 1308 Redline_20_2_crack.exe 1308 Redline_20_2_crack.exe 1308 Redline_20_2_crack.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
Redline_20_2_crack.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main Redline_20_2_crack.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
crack.exepid process 1860 crack.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Redline_20_2_crack.exepid process 1308 Redline_20_2_crack.exe 1308 Redline_20_2_crack.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Redline_20_2_crack.exedescription pid process target process PID 1308 wrote to memory of 1860 1308 Redline_20_2_crack.exe crack.exe PID 1308 wrote to memory of 1860 1308 Redline_20_2_crack.exe crack.exe PID 1308 wrote to memory of 1860 1308 Redline_20_2_crack.exe crack.exe PID 1308 wrote to memory of 1860 1308 Redline_20_2_crack.exe crack.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Redline Stealer 2021 Cracked\Redline_20_2_crack.exe"C:\Users\Admin\AppData\Local\Temp\Redline Stealer 2021 Cracked\Redline_20_2_crack.exe"1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Redline Stealer 2021 Cracked\crack.exe"C:\Users\Admin\AppData\Local\Temp\Redline Stealer 2021 Cracked\crack.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Redline Stealer 2021 Cracked\crack.exeMD5
d2092715d71b90721291a1d59f69a8cc
SHA199ebd7a6601d85cc7206b5a9dbf623ec9e5963ad
SHA256b38006408e2229c1c23c56e4efba5df476d7ee13931ec7766cb6940b1b397679
SHA5123b99205ae8c7c69ca207b45b5d2701a24a7aa2bff2f4dace45702f4eaca71e19d0630d33f869e4793d7d3f9d429b37c77690df6913c225e0b9e5c3e7d583d322
-
C:\Users\Admin\AppData\Local\Temp\Redline Stealer 2021 Cracked\crack.exeMD5
d2092715d71b90721291a1d59f69a8cc
SHA199ebd7a6601d85cc7206b5a9dbf623ec9e5963ad
SHA256b38006408e2229c1c23c56e4efba5df476d7ee13931ec7766cb6940b1b397679
SHA5123b99205ae8c7c69ca207b45b5d2701a24a7aa2bff2f4dace45702f4eaca71e19d0630d33f869e4793d7d3f9d429b37c77690df6913c225e0b9e5c3e7d583d322
-
\Users\Admin\AppData\Local\Temp\Redline Stealer 2021 Cracked\crack.exeMD5
d2092715d71b90721291a1d59f69a8cc
SHA199ebd7a6601d85cc7206b5a9dbf623ec9e5963ad
SHA256b38006408e2229c1c23c56e4efba5df476d7ee13931ec7766cb6940b1b397679
SHA5123b99205ae8c7c69ca207b45b5d2701a24a7aa2bff2f4dace45702f4eaca71e19d0630d33f869e4793d7d3f9d429b37c77690df6913c225e0b9e5c3e7d583d322
-
\Users\Admin\AppData\Local\Temp\Redline Stealer 2021 Cracked\crack.exeMD5
d2092715d71b90721291a1d59f69a8cc
SHA199ebd7a6601d85cc7206b5a9dbf623ec9e5963ad
SHA256b38006408e2229c1c23c56e4efba5df476d7ee13931ec7766cb6940b1b397679
SHA5123b99205ae8c7c69ca207b45b5d2701a24a7aa2bff2f4dace45702f4eaca71e19d0630d33f869e4793d7d3f9d429b37c77690df6913c225e0b9e5c3e7d583d322
-
\Users\Admin\AppData\Local\Temp\Redline Stealer 2021 Cracked\crack.exeMD5
d2092715d71b90721291a1d59f69a8cc
SHA199ebd7a6601d85cc7206b5a9dbf623ec9e5963ad
SHA256b38006408e2229c1c23c56e4efba5df476d7ee13931ec7766cb6940b1b397679
SHA5123b99205ae8c7c69ca207b45b5d2701a24a7aa2bff2f4dace45702f4eaca71e19d0630d33f869e4793d7d3f9d429b37c77690df6913c225e0b9e5c3e7d583d322
-
\Users\Admin\AppData\Local\Temp\Redline Stealer 2021 Cracked\crack.exeMD5
d2092715d71b90721291a1d59f69a8cc
SHA199ebd7a6601d85cc7206b5a9dbf623ec9e5963ad
SHA256b38006408e2229c1c23c56e4efba5df476d7ee13931ec7766cb6940b1b397679
SHA5123b99205ae8c7c69ca207b45b5d2701a24a7aa2bff2f4dace45702f4eaca71e19d0630d33f869e4793d7d3f9d429b37c77690df6913c225e0b9e5c3e7d583d322
-
memory/1308-58-0x000000007EF84000-0x000000007EF86000-memory.dmpFilesize
8KB
-
memory/1308-60-0x000000007EF88000-0x000000007EF89000-memory.dmpFilesize
4KB
-
memory/1308-53-0x0000000075981000-0x0000000075983000-memory.dmpFilesize
8KB
-
memory/1308-54-0x000000007EF80000-0x000000007EF82000-memory.dmpFilesize
8KB
-
memory/1308-55-0x000000007EF82000-0x000000007EF84000-memory.dmpFilesize
8KB
-
memory/1860-65-0x0000000000000000-mapping.dmp
-
memory/1860-68-0x0000000000050000-0x0000000000051000-memory.dmpFilesize
4KB
-
memory/1860-70-0x000000001B020000-0x000000001B022000-memory.dmpFilesize
8KB