Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 19:49
General
-
Target
Bitcoin Mining Software 1.5v.exe
-
Size
4.6MB
-
MD5
c9b0c2b2a7988eb97f7069bb423a7ffa
-
SHA1
85d72dd1cdf60d9dd4c2696d950e63d163102c37
-
SHA256
773b40c8007545afd1b563bdf17dab8225acd4bd6def35e4db95f70fca16371c
-
SHA512
88dfcec430d3cbb3eaf63611373f38a17a0a752d2d42566310d7f5275acbb8d82cfa3e8e58def6b0ed4e10e062f8e77fd2b7536c0931a1a8ddaba89a236c4e92
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
@EstetikaSell
C2
185.209.22.181:29234
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bitcoin Mining Software 1.5v.exe"C:\Users\Admin\AppData\Local\Temp\Bitcoin Mining Software 1.5v.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 2562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3328-138-0x0000000008B90000-0x0000000008B91000-memory.dmpFilesize
4KB
-
memory/3328-159-0x000000000AE80000-0x000000000AE81000-memory.dmpFilesize
4KB
-
memory/3328-131-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/3328-133-0x00000000091A0000-0x00000000091A1000-memory.dmpFilesize
4KB
-
memory/3328-158-0x000000000A780000-0x000000000A781000-memory.dmpFilesize
4KB
-
memory/3328-149-0x0000000009B00000-0x0000000009B01000-memory.dmpFilesize
4KB
-
memory/3328-148-0x0000000009B60000-0x0000000009B61000-memory.dmpFilesize
4KB
-
memory/3328-122-0x0000000000340000-0x000000000035E000-memory.dmpFilesize
120KB
-
memory/3328-127-0x0000000000359A6E-mapping.dmp
-
memory/3328-128-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/3328-129-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/3328-130-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/3328-147-0x0000000009A40000-0x0000000009A41000-memory.dmpFilesize
4KB
-
memory/3328-134-0x0000000006760000-0x0000000006761000-memory.dmpFilesize
4KB
-
memory/3328-146-0x0000000008EA0000-0x0000000008EA1000-memory.dmpFilesize
4KB
-
memory/3328-135-0x0000000008CA0000-0x0000000008CA1000-memory.dmpFilesize
4KB
-
memory/3328-136-0x00000000067C0000-0x00000000067C1000-memory.dmpFilesize
4KB
-
memory/3328-137-0x0000000006810000-0x0000000006811000-memory.dmpFilesize
4KB
-
memory/3328-143-0x0000000009CB0000-0x0000000009CB1000-memory.dmpFilesize
4KB
-
memory/3328-139-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/3772-115-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/3772-116-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/3772-117-0x0000000002750000-0x0000000002751000-memory.dmpFilesize
4KB
-
memory/3772-121-0x00000000000D0000-0x0000000000561000-memory.dmpFilesize
4.6MB
-
memory/3772-120-0x0000000002780000-0x0000000002781000-memory.dmpFilesize
4KB
-
memory/3772-119-0x0000000002770000-0x0000000002771000-memory.dmpFilesize
4KB
-
memory/3772-118-0x0000000002760000-0x0000000002761000-memory.dmpFilesize
4KB