Analysis
-
max time kernel
35s -
max time network
30s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 12:35
Static task
static1
Behavioral task
behavioral1
Sample
Software patch by Sylox.exe
Resource
win7-en-20211014
General
-
Target
Software patch by Sylox.exe
-
Size
3.2MB
-
MD5
32da7dfc115619bf8a6197ec22b75edf
-
SHA1
6118bde049e88592ff92464788c63992a96ece13
-
SHA256
ea152bfedb88c978ab9730ab0f6c9f4baed1777e33d5a6e25c3d542b5c39bb61
-
SHA512
c2a522312fe8bcbe092c6dd46e6e34c53e0d9bf58bccea1f9de1e96b06c0f08d452e0c000a46f34b1cc5bbe22df866243edd17450c1a2ddf43854ddba26864a1
Malware Config
Extracted
redline
@faqu_1
95.181.152.6:46927
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/432-74-0x00000000003E0000-0x000000000040E000-memory.dmp family_redline behavioral1/memory/432-80-0x0000000004920000-0x0000000004939000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
Datafile32.exeDatafile64.exeServer32.exepid process 804 Datafile32.exe 924 Datafile64.exe 432 Server32.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Software patch by Sylox.exeDatafile32.exeDatafile64.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Software patch by Sylox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Software patch by Sylox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Datafile32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Datafile32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Datafile64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Datafile64.exe -
Loads dropped DLL 3 IoCs
Processes:
Software patch by Sylox.exepid process 1552 Software patch by Sylox.exe 1552 Software patch by Sylox.exe 1552 Software patch by Sylox.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1552-58-0x0000000000300000-0x0000000000301000-memory.dmp themida \Users\Admin\AppData\Local\Temp\Datafile32.exe themida C:\Users\Admin\AppData\Local\Temp\Datafile32.exe themida behavioral1/memory/804-65-0x0000000000400000-0x0000000000E48000-memory.dmp themida \Users\Admin\AppData\Local\Temp\Datafile64.exe themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida behavioral1/memory/924-70-0x0000000000400000-0x0000000000EAE000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Datafile64.exeSoftware patch by Sylox.exeDatafile32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Datafile64.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Software patch by Sylox.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Datafile32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Software patch by Sylox.exeDatafile32.exeDatafile64.exepid process 1552 Software patch by Sylox.exe 804 Datafile32.exe 924 Datafile64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Server32.exepid process 432 Server32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Software patch by Sylox.exeServer32.exedescription pid process Token: SeDebugPrivilege 1552 Software patch by Sylox.exe Token: SeDebugPrivilege 432 Server32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Software patch by Sylox.exeDatafile32.exedescription pid process target process PID 1552 wrote to memory of 804 1552 Software patch by Sylox.exe Datafile32.exe PID 1552 wrote to memory of 804 1552 Software patch by Sylox.exe Datafile32.exe PID 1552 wrote to memory of 804 1552 Software patch by Sylox.exe Datafile32.exe PID 1552 wrote to memory of 804 1552 Software patch by Sylox.exe Datafile32.exe PID 1552 wrote to memory of 924 1552 Software patch by Sylox.exe Datafile64.exe PID 1552 wrote to memory of 924 1552 Software patch by Sylox.exe Datafile64.exe PID 1552 wrote to memory of 924 1552 Software patch by Sylox.exe Datafile64.exe PID 1552 wrote to memory of 924 1552 Software patch by Sylox.exe Datafile64.exe PID 1552 wrote to memory of 432 1552 Software patch by Sylox.exe Server32.exe PID 1552 wrote to memory of 432 1552 Software patch by Sylox.exe Server32.exe PID 1552 wrote to memory of 432 1552 Software patch by Sylox.exe Server32.exe PID 1552 wrote to memory of 432 1552 Software patch by Sylox.exe Server32.exe PID 804 wrote to memory of 728 804 Datafile32.exe conhost.exe PID 804 wrote to memory of 728 804 Datafile32.exe conhost.exe PID 804 wrote to memory of 728 804 Datafile32.exe conhost.exe PID 804 wrote to memory of 728 804 Datafile32.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software patch by Sylox.exe"C:\Users\Admin\AppData\Local\Temp\Software patch by Sylox.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\Server32.exe"C:\Users\Admin\AppData\Local\Temp\Server32.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
3dddbab9fbf93ab3dbe8c3eebb783472
SHA1aa54ca975e692d541cd7b37054fbc343aba7906e
SHA256e6315f3eb516284f6bdbb69680f5a4ff2ab4ddc6f93e1937830cccbeaa99d038
SHA5128eae2168273a675725df6711dab6519e5787688268a7e9f0a5a80dd15bed77951619e274abb5d228b84bd527646b414e345781a4f8c743551b8532d9c6eaa5b8
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7066ed03efd072ba5c0d9479c4dd23c1
SHA1064dfe6c112b419a5822c2fc3d5cdcc296f76fae
SHA256fe528fc9917783284421b45f302fc62f5058d40a9156fabeed1f7771478b24c8
SHA512e0d9684809b32046ef115c1cdb851d00d0d31be6a79219e656b4c7a42ad690d1a6f60049a9589261e03198c07532db5ed1500128ab4c3c9f60c228c13d03e10b
-
\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
3dddbab9fbf93ab3dbe8c3eebb783472
SHA1aa54ca975e692d541cd7b37054fbc343aba7906e
SHA256e6315f3eb516284f6bdbb69680f5a4ff2ab4ddc6f93e1937830cccbeaa99d038
SHA5128eae2168273a675725df6711dab6519e5787688268a7e9f0a5a80dd15bed77951619e274abb5d228b84bd527646b414e345781a4f8c743551b8532d9c6eaa5b8
-
\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7066ed03efd072ba5c0d9479c4dd23c1
SHA1064dfe6c112b419a5822c2fc3d5cdcc296f76fae
SHA256fe528fc9917783284421b45f302fc62f5058d40a9156fabeed1f7771478b24c8
SHA512e0d9684809b32046ef115c1cdb851d00d0d31be6a79219e656b4c7a42ad690d1a6f60049a9589261e03198c07532db5ed1500128ab4c3c9f60c228c13d03e10b
-
memory/432-72-0x0000000000000000-mapping.dmp
-
memory/432-82-0x0000000004B01000-0x0000000004B02000-memory.dmpFilesize
4KB
-
memory/432-83-0x0000000004B02000-0x0000000004B03000-memory.dmpFilesize
4KB
-
memory/432-84-0x0000000004B04000-0x0000000004B05000-memory.dmpFilesize
4KB
-
memory/432-80-0x0000000004920000-0x0000000004939000-memory.dmpFilesize
100KB
-
memory/432-74-0x00000000003E0000-0x000000000040E000-memory.dmpFilesize
184KB
-
memory/728-85-0x00000000000A0000-0x0000000000292000-memory.dmpFilesize
1.9MB
-
memory/804-65-0x0000000000400000-0x0000000000E48000-memory.dmpFilesize
10.3MB
-
memory/804-62-0x0000000000000000-mapping.dmp
-
memory/804-64-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/924-67-0x0000000000000000-mapping.dmp
-
memory/924-70-0x0000000000400000-0x0000000000EAE000-memory.dmpFilesize
10.7MB
-
memory/924-69-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/1552-58-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/1552-55-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB
-
memory/1552-60-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB