Overview

overview

10

Static

static

Fri05f84fa77402bf.exe

windows7_x64

10

Fri05f84fa77402bf.exe

windows7_x64

10

Fri05f84fa77402bf.exe

windows7_x64

10

Fri05f84fa77402bf.exe

windows11_x64

10

Fri05f84fa77402bf.exe

windows10_x64

10

Fri05f84fa77402bf.exe

windows10_x64

10

Fri05f84fa77402bf.exe

windows10_x64

10

Analysis

  • max time kernel
    1787s
  • max time network
    1826s
  • platform
    windows7_x64
  • resource
    win7-ja-20210920
  • submitted
    22-10-2021 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fri05f84fa77402bf.exe

  • Size

    394KB

  • MD5

    8e0abf31bbb7005be2893af10fcceaa9

  • SHA1

    a48259c2346d7aed8cf14566d066695a8c2db55c

  • SHA256

    2df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a

  • SHA512

    ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970

Score
10/10
redlinechrisnewdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

ChrisNEW

C2

194.104.136.5:46013

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe
    "C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe
      C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2032
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {3F44E322-1390-4520-9382-68D26B9FBE1A} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
      PID:1132
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {625B8B4A-556E-4790-A99D-6059DB65EB02} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:596
      • C:\Program Files\Mozilla Firefox\default-browser-agent.exe
        "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
        2⤵
          PID:1544
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {85840366-8E3E-497B-916D-525A03B11EA0} S-1-5-18:NT AUTHORITY\System:Service:
        1⤵
          PID:1576

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Credentials in Files

        2
        T1081

        Discovery

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Data from Local System

        2
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1544-65-0x0000000000000000-mapping.dmp
          Download
        • memory/1692-53-0x0000000000350000-0x0000000000351000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1692-55-0x0000000004A10000-0x0000000004A11000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2032-57-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/2032-56-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/2032-59-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/2032-58-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/2032-60-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/2032-61-0x0000000000418542-mapping.dmp
          Download
        • memory/2032-62-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/2032-64-0x00000000047D0000-0x00000000047D1000-memory.dmp
          Filesize

          4KB

          Download