Analysis
-
max time kernel
156s -
max time network
166s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 18:42
Static task
static1
Behavioral task
behavioral1
Sample
5dbd8aa86a7a7f9fb08d46199adfbb16.exe
Resource
win7-en-20211014
General
-
Target
5dbd8aa86a7a7f9fb08d46199adfbb16.exe
-
Size
653KB
-
MD5
5dbd8aa86a7a7f9fb08d46199adfbb16
-
SHA1
79aea5a1228db2443dd58dc870829f70fb1a8f76
-
SHA256
f9770d111ea06ea7a7c4b10461d7b88a1971b0e3f07573b3d656ef752db9abb2
-
SHA512
5133b95931395e6524a8df7aa549551ed44e7369620e3e72eade262fbf5802382a362287fc5d64b9b46ae311576fe2f80959b9513f730ad1f478f132bd2628e6
Malware Config
Extracted
redline
22.10
185.215.113.17:7700
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1684-122-0x0000000004CA0000-0x0000000004CBC000-memory.dmp family_redline behavioral2/memory/1684-129-0x0000000005150000-0x000000000516A000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
ipstersh.exepid process 1684 ipstersh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5dbd8aa86a7a7f9fb08d46199adfbb16.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5dbd8aa86a7a7f9fb08d46199adfbb16.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5dbd8aa86a7a7f9fb08d46199adfbb16.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ipstersh.exepid process 1684 ipstersh.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ipstersh.exedescription pid process Token: SeDebugPrivilege 1684 ipstersh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5dbd8aa86a7a7f9fb08d46199adfbb16.exedescription pid process target process PID 3608 wrote to memory of 1684 3608 5dbd8aa86a7a7f9fb08d46199adfbb16.exe ipstersh.exe PID 3608 wrote to memory of 1684 3608 5dbd8aa86a7a7f9fb08d46199adfbb16.exe ipstersh.exe PID 3608 wrote to memory of 1684 3608 5dbd8aa86a7a7f9fb08d46199adfbb16.exe ipstersh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5dbd8aa86a7a7f9fb08d46199adfbb16.exe"C:\Users\Admin\AppData\Local\Temp\5dbd8aa86a7a7f9fb08d46199adfbb16.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wowsfree\ipstersh.exeipstersh.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\wowsfree\ipstersh.exeMD5
c4d5d13ebf7d05776d60caa9f33428af
SHA1385e771216489a904ceda560d2715a760bfa7451
SHA256391fe7f9cb02a497ee846f1637eb01ca6f3586cadc277bf71074906d5c0d4be1
SHA512689a0e819c00be0b3b74c7fd386597274f44b38ac435c0bdc5db8ba5e51b1ea6a20478131f9c4b6ecafcc724509069e854064b8c128d5adfc19028a86097efed
-
C:\Users\Admin\AppData\Roaming\wowsfree\ipstersh.exeMD5
c4d5d13ebf7d05776d60caa9f33428af
SHA1385e771216489a904ceda560d2715a760bfa7451
SHA256391fe7f9cb02a497ee846f1637eb01ca6f3586cadc277bf71074906d5c0d4be1
SHA512689a0e819c00be0b3b74c7fd386597274f44b38ac435c0bdc5db8ba5e51b1ea6a20478131f9c4b6ecafcc724509069e854064b8c128d5adfc19028a86097efed
-
memory/1684-128-0x0000000007713000-0x0000000007714000-memory.dmpFilesize
4KB
-
memory/1684-139-0x0000000008BA0000-0x0000000008BA1000-memory.dmpFilesize
4KB
-
memory/1684-140-0x0000000009130000-0x0000000009131000-memory.dmpFilesize
4KB
-
memory/1684-121-0x0000000002F30000-0x0000000002F52000-memory.dmpFilesize
136KB
-
memory/1684-122-0x0000000004CA0000-0x0000000004CBC000-memory.dmpFilesize
112KB
-
memory/1684-123-0x0000000007720000-0x0000000007721000-memory.dmpFilesize
4KB
-
memory/1684-124-0x0000000002FD0000-0x000000000311A000-memory.dmpFilesize
1.3MB
-
memory/1684-126-0x0000000007710000-0x0000000007711000-memory.dmpFilesize
4KB
-
memory/1684-125-0x0000000000400000-0x0000000002F1A000-memory.dmpFilesize
43.1MB
-
memory/1684-127-0x0000000007712000-0x0000000007713000-memory.dmpFilesize
4KB
-
memory/1684-141-0x0000000009300000-0x0000000009301000-memory.dmpFilesize
4KB
-
memory/1684-118-0x0000000000000000-mapping.dmp
-
memory/1684-132-0x0000000008230000-0x0000000008231000-memory.dmpFilesize
4KB
-
memory/1684-131-0x0000000007670000-0x0000000007671000-memory.dmpFilesize
4KB
-
memory/1684-130-0x0000000007C20000-0x0000000007C21000-memory.dmpFilesize
4KB
-
memory/1684-133-0x0000000007690000-0x0000000007691000-memory.dmpFilesize
4KB
-
memory/1684-134-0x0000000007714000-0x0000000007716000-memory.dmpFilesize
8KB
-
memory/1684-135-0x0000000008340000-0x0000000008341000-memory.dmpFilesize
4KB
-
memory/1684-136-0x0000000008810000-0x0000000008811000-memory.dmpFilesize
4KB
-
memory/1684-137-0x00000000088B0000-0x00000000088B1000-memory.dmpFilesize
4KB
-
memory/1684-138-0x00000000089C0000-0x00000000089C1000-memory.dmpFilesize
4KB
-
memory/1684-129-0x0000000005150000-0x000000000516A000-memory.dmpFilesize
104KB
-
memory/3608-116-0x0000000000F20000-0x0000000000FEF000-memory.dmpFilesize
828KB
-
memory/3608-117-0x0000000000400000-0x00000000008D3000-memory.dmpFilesize
4.8MB