Overview

overview

10

Static

static

GI_hackV2.2.exe

windows7_x64

10

GI_hackV2.2.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    24-10-2021 16:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GI_hackV2.2.exe

  • Size

    382KB

  • MD5

    033b87f17b845a88b342f558a959ae32

  • SHA1

    4fbad0d47191a0e219accc9daeabc38fad3435f3

  • SHA256

    1426f8433819b5f8a6b88a386e44f52abc4082fe45cea4666d840ac633c9f123

  • SHA512

    6b7378f7f31de0ffef6fc98c2a7d9fcf15aed34c6de5aa5b8119a8fb17dad3b92ed9973c794c29c69d5dcd76b024564ed8daa530a1ad281fa3bb29a83b3907ac

Score
10/10
redlinemexfrend2110discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

MexFrend2110

C2

109.248.11.240:17314

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
    "C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
      C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
      2⤵
        PID:1528
      • C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
        C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
        2⤵
          PID:1524
        • C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
          C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:580

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/372-55-0x0000000000270000-0x0000000000271000-memory.dmp
        Filesize

        4KB

        Download
      • memory/372-57-0x00000000049A0000-0x00000000049A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/580-58-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/580-59-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/580-60-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/580-61-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/580-62-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/580-63-0x000000000041854E-mapping.dmp
        Download
      • memory/580-64-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/580-66-0x0000000004980000-0x0000000004981000-memory.dmp
        Filesize

        4KB

        Download