Analysis
-
max time kernel
121s -
max time network
165s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 18:42
Static task
static1
Behavioral task
behavioral1
Sample
8b9e83c83ae81fcbd74ab39b85298c04.exe
Resource
win7-en-20211014
General
-
Target
8b9e83c83ae81fcbd74ab39b85298c04.exe
-
Size
631KB
-
MD5
8b9e83c83ae81fcbd74ab39b85298c04
-
SHA1
53b8026213abed21634724f814d7f5d968ec8856
-
SHA256
a557f57a2434180c029c72ce310e2c4d1585c2f53aea58c375634f45754757a9
-
SHA512
3ceb1bff38c133f5e1712d38c0b16d00fc0d55b6e1df6ab6bfde1c0e836fa4091fa7148a1d9650b0984b68349e04d83dba8fd47a8a770707b2801b45a594abe1
Malware Config
Extracted
redline
22.10
185.215.113.17:7700
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2212-128-0x0000000004D60000-0x0000000004D7C000-memory.dmp family_redline behavioral2/memory/2212-130-0x00000000075C0000-0x00000000075DA000-memory.dmp family_redline -
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
ipstersh.exepid process 2212 ipstersh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
8b9e83c83ae81fcbd74ab39b85298c04.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 8b9e83c83ae81fcbd74ab39b85298c04.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 8b9e83c83ae81fcbd74ab39b85298c04.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ipstersh.exepid process 2212 ipstersh.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ipstersh.exedescription pid process Token: SeDebugPrivilege 2212 ipstersh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
8b9e83c83ae81fcbd74ab39b85298c04.exedescription pid process target process PID 1280 wrote to memory of 2212 1280 8b9e83c83ae81fcbd74ab39b85298c04.exe ipstersh.exe PID 1280 wrote to memory of 2212 1280 8b9e83c83ae81fcbd74ab39b85298c04.exe ipstersh.exe PID 1280 wrote to memory of 2212 1280 8b9e83c83ae81fcbd74ab39b85298c04.exe ipstersh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b9e83c83ae81fcbd74ab39b85298c04.exe"C:\Users\Admin\AppData\Local\Temp\8b9e83c83ae81fcbd74ab39b85298c04.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wowsfree\ipstersh.exeipstersh.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\wowsfree\ipstersh.exeMD5
c4d5d13ebf7d05776d60caa9f33428af
SHA1385e771216489a904ceda560d2715a760bfa7451
SHA256391fe7f9cb02a497ee846f1637eb01ca6f3586cadc277bf71074906d5c0d4be1
SHA512689a0e819c00be0b3b74c7fd386597274f44b38ac435c0bdc5db8ba5e51b1ea6a20478131f9c4b6ecafcc724509069e854064b8c128d5adfc19028a86097efed
-
C:\Users\Admin\AppData\Roaming\wowsfree\ipstersh.exeMD5
c4d5d13ebf7d05776d60caa9f33428af
SHA1385e771216489a904ceda560d2715a760bfa7451
SHA256391fe7f9cb02a497ee846f1637eb01ca6f3586cadc277bf71074906d5c0d4be1
SHA512689a0e819c00be0b3b74c7fd386597274f44b38ac435c0bdc5db8ba5e51b1ea6a20478131f9c4b6ecafcc724509069e854064b8c128d5adfc19028a86097efed
-
memory/1280-120-0x0000000000400000-0x0000000002F64000-memory.dmpFilesize
43.4MB
-
memory/1280-118-0x00000000030C0000-0x000000000312C000-memory.dmpFilesize
432KB
-
memory/1280-119-0x0000000004C60000-0x0000000004D2F000-memory.dmpFilesize
828KB
-
memory/2212-130-0x00000000075C0000-0x00000000075DA000-memory.dmpFilesize
104KB
-
memory/2212-134-0x00000000076E3000-0x00000000076E4000-memory.dmpFilesize
4KB
-
memory/2212-124-0x0000000003070000-0x0000000003092000-memory.dmpFilesize
136KB
-
memory/2212-126-0x00000000076E0000-0x00000000076E1000-memory.dmpFilesize
4KB
-
memory/2212-127-0x0000000000400000-0x0000000002F1A000-memory.dmpFilesize
43.1MB
-
memory/2212-128-0x0000000004D60000-0x0000000004D7C000-memory.dmpFilesize
112KB
-
memory/2212-129-0x00000000076F0000-0x00000000076F1000-memory.dmpFilesize
4KB
-
memory/2212-121-0x0000000000000000-mapping.dmp
-
memory/2212-131-0x0000000008200000-0x0000000008201000-memory.dmpFilesize
4KB
-
memory/2212-132-0x0000000007660000-0x0000000007661000-memory.dmpFilesize
4KB
-
memory/2212-133-0x00000000076E2000-0x00000000076E3000-memory.dmpFilesize
4KB
-
memory/2212-125-0x0000000004B20000-0x0000000004B4F000-memory.dmpFilesize
188KB
-
memory/2212-135-0x0000000007BF0000-0x0000000007BF1000-memory.dmpFilesize
4KB
-
memory/2212-136-0x0000000007690000-0x0000000007691000-memory.dmpFilesize
4KB
-
memory/2212-137-0x00000000076E4000-0x00000000076E6000-memory.dmpFilesize
8KB
-
memory/2212-138-0x0000000007D30000-0x0000000007D31000-memory.dmpFilesize
4KB
-
memory/2212-139-0x0000000008810000-0x0000000008811000-memory.dmpFilesize
4KB
-
memory/2212-140-0x00000000088F0000-0x00000000088F1000-memory.dmpFilesize
4KB
-
memory/2212-141-0x0000000008AF0000-0x0000000008AF1000-memory.dmpFilesize
4KB
-
memory/2212-142-0x0000000008B70000-0x0000000008B71000-memory.dmpFilesize
4KB
-
memory/2212-143-0x0000000008FF0000-0x0000000008FF1000-memory.dmpFilesize
4KB
-
memory/2212-144-0x00000000091C0000-0x00000000091C1000-memory.dmpFilesize
4KB