Overview

overview

10

Static

static

Fri05f84fa77402bf.exe

windows7_x64

10

Fri05f84fa77402bf.exe

windows7_x64

10

Fri05f84fa77402bf.exe

windows7_x64

10

Fri05f84fa77402bf.exe

windows11_x64

10

Fri05f84fa77402bf.exe

windows10_x64

10

Fri05f84fa77402bf.exe

windows10_x64

10

Fri05f84fa77402bf.exe

windows10_x64

10

Analysis

  • max time kernel
    1602s
  • max time network
    1607s
  • platform
    windows7_x64
  • resource
    win7-de-20210920
  • submitted
    22-10-2021 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fri05f84fa77402bf.exe

  • Size

    394KB

  • MD5

    8e0abf31bbb7005be2893af10fcceaa9

  • SHA1

    a48259c2346d7aed8cf14566d066695a8c2db55c

  • SHA256

    2df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a

  • SHA512

    ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970

Score
10/10
redlinechrisnewdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

ChrisNEW

C2

194.104.136.5:46013

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe
    "C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:592
    • C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe
      C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:308
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1rydf7
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1736 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1684
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {5AA66AE9-21EC-4D6F-909B-817F07D7A199} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
      PID:1656
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {38055C2D-9ECC-4EB5-BC46-BB6D1A9DF037} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1852
      • C:\Program Files\Mozilla Firefox\default-browser-agent.exe
        "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
        2⤵
          PID:1008
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {7BDF6BD2-80A6-4193-A34F-A071023BE65D} S-1-5-18:NT AUTHORITY\System:Service:
        1⤵
          PID:1368

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Credentials in Files

        2
        T1081

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Data from Local System

        2
        T1005

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          MD5

          ab5c36d10261c173c5896f3478cdc6b7

          SHA1

          87ac53810ad125663519e944bc87ded3979cbee4

          SHA256

          f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

          SHA512

          e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          MD5

          46213e3ef3c8f1377aa91097e43a6b7e

          SHA1

          8e42487664754b99f7c34ef1de14b0fa8072db1c

          SHA256

          eb6b42f48b408e07107a28e446ba3ac898487c844ed9c57d6879c76e79a0d821

          SHA512

          778a4b182102a8f567f9fb143443a30916997ada87ceb028437c45f080f09242acca3f2f8573172b95e86a83bd094354f6ac2d30be3c4eeeed996690cbb2452f

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wkz58mr\imagestore.dat
          MD5

          206e023148ee2bb5a1997faad14b2318

          SHA1

          ad9d3ce706dc10c5a7ccdaf6cb82698879c3d5e6

          SHA256

          27b6a630ea7c10cbf23f0ee8ad8a8af7f6877bbc799ac71fc069621e26e3181b

          SHA512

          efabbc2236637f8f7b910eabca99ca847a98b66de43233aad39a5a5cb78c1269ffa1bb21c3d3fdf2f41c9e2abfde29e9627f2b129ecdb1c35ee2b7b81ec102af

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8I2CSA6O.txt
          MD5

          e2be4a0f533d4b098c09104c414de173

          SHA1

          cffaf07b8174c9d1c74d0fb9296a0b9d2b543668

          SHA256

          5e13cefa875c06d0823812e26a803eaaf34f862f942095f1e06d40a3cee6add5

          SHA512

          72920acb6eee1738c425f6d5fa8b3bc76c1bc89f83f95e9669cff2c926d823a3011ba30e5d965449e19c2634ed5a56d3dffa6e2fe4e07eccfdfe1f5c8897846c

          Download Submit
        • memory/308-59-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/308-58-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/308-61-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/308-62-0x0000000000418542-mapping.dmp
          Download
        • memory/308-63-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/308-65-0x0000000004370000-0x0000000004371000-memory.dmp
          Filesize

          4KB

          Download
        • memory/308-60-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/308-57-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/592-54-0x0000000000900000-0x0000000000901000-memory.dmp
          Filesize

          4KB

          Download
        • memory/592-56-0x0000000004290000-0x0000000004291000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1008-72-0x0000000000000000-mapping.dmp
          Download
        • memory/1684-67-0x0000000000000000-mapping.dmp
          Download
        • memory/1736-66-0x0000000000000000-mapping.dmp
          Download