Overview

overview

10

Static

static

10

setup_inst...32.exe

windows10_x64

10

setup_inst...2b.exe

windows10_x64

8

setup_inst...61.exe

windows10_x64

10

setup_inst...f8.exe

windows10_x64

10

setup_inst...34.exe

windows10_x64

10

setup_inst...c2.exe

windows10_x64

10

setup_inst...cb.exe

windows10_x64

10

setup_inst...90.exe

windows10_x64

10

setup_inst...79.exe

windows10_x64

6

setup_inst...d8.exe

windows10_x64

3

setup_inst...3b.exe

windows10_x64

8

setup_inst...ac.exe

windows10_x64

10

setup_inst...38.exe

windows10_x64

10

setup_inst...b5.exe

windows10_x64

10

setup_inst...b2.exe

windows10_x64

7

setup_inst...rl.dll

windows10_x64

3

setup_inst...pp.dll

windows10_x64

3

setup_inst...-1.dll

windows10_x64

3

setup_inst...-6.dll

windows10_x64

3

setup_inst...-1.dll

windows10_x64

1

setup_inst...ll.exe

windows10_x64

10

Resubmissions

27-10-2021 14:44

211027-r4madafbg6 10

27-10-2021 14:28

211027-rs7f6sfah4 10

Analysis

  • max time kernel
    321s
  • max time network
    1566s
  • submitted
    01-01-1970 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_installer/Wed09b3a5ca1a712d390.exe

Score
10/10
redlinediscoveryinfostealerpersistencespywarestealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09b3a5ca1a712d390.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09b3a5ca1a712d390.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Users\Admin\AppData\Roaming\4793533.exe
      "C:\Users\Admin\AppData\Roaming\4793533.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3984
    • C:\Users\Admin\AppData\Roaming\3666425.exe
      "C:\Users\Admin\AppData\Roaming\3666425.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3436
    • C:\Users\Admin\AppData\Roaming\127318.exe
      "C:\Users\Admin\AppData\Roaming\127318.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4092
    • C:\Users\Admin\AppData\Roaming\8803869.exe
      "C:\Users\Admin\AppData\Roaming\8803869.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        3⤵
        • Executes dropped EXE
        PID:2436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\127318.exe
    MD5

    77172e261caaf310b7f2e68fe5ca0012

    SHA1

    f7656bed5475b06379898d3a7abac8bbfa41671f

    SHA256

    bd84d36b0ef7d50d628018a588c13acc143339dc4443bc21dfb55bce5a4a260d

    SHA512

    34b06f9825e8ea3ad69efe8fcbea34770df871a88e4a715de384f20afbcd0990052de582a6c6c3538f7de1616e4d569c21dc2f0cbc75bd1a988aa8495cebd3fc

    Download Submit
  • C:\Users\Admin\AppData\Roaming\127318.exe
    MD5

    77172e261caaf310b7f2e68fe5ca0012

    SHA1

    f7656bed5475b06379898d3a7abac8bbfa41671f

    SHA256

    bd84d36b0ef7d50d628018a588c13acc143339dc4443bc21dfb55bce5a4a260d

    SHA512

    34b06f9825e8ea3ad69efe8fcbea34770df871a88e4a715de384f20afbcd0990052de582a6c6c3538f7de1616e4d569c21dc2f0cbc75bd1a988aa8495cebd3fc

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3666425.exe
    MD5

    ff722d7588cb426273a38d99bab58e16

    SHA1

    7a0bdf89467f0296980c3e7b3cebdf2a18d00808

    SHA256

    6a85aa395bafcc389c947aca9a23bcdd4a665d0420b46d1a8785e404e0486056

    SHA512

    0d97b46e0451e09901b57ea4e132b9b7e1f8e78d3edf961218fab0043abdb1c063301f51ad77e06cd4805ec9b5842c74c5f0a5d8bf82d3ae2371ea5d286c4693

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3666425.exe
    MD5

    ff722d7588cb426273a38d99bab58e16

    SHA1

    7a0bdf89467f0296980c3e7b3cebdf2a18d00808

    SHA256

    6a85aa395bafcc389c947aca9a23bcdd4a665d0420b46d1a8785e404e0486056

    SHA512

    0d97b46e0451e09901b57ea4e132b9b7e1f8e78d3edf961218fab0043abdb1c063301f51ad77e06cd4805ec9b5842c74c5f0a5d8bf82d3ae2371ea5d286c4693

    Download Submit
  • C:\Users\Admin\AppData\Roaming\4793533.exe
    MD5

    40b56ffaf0b24fee5bde1e1fb7212f2f

    SHA1

    ba5948f06bde7c7a92f5823ec7dfd748d336b5b0

    SHA256

    874d7a7825a86d7ac4d4b8aaeec3186dcaf747d15d48626d229fb61ab277c4bf

    SHA512

    fdd2bc4964146b9c540bf95872ca3c4a3aa66946c7371849d998ea1e13ba5497f697f12fd234c5f4bc139dc758efe521e1c7e24a67cde12f0cd8ac79e1946e03

    Download Submit
  • C:\Users\Admin\AppData\Roaming\4793533.exe
    MD5

    40b56ffaf0b24fee5bde1e1fb7212f2f

    SHA1

    ba5948f06bde7c7a92f5823ec7dfd748d336b5b0

    SHA256

    874d7a7825a86d7ac4d4b8aaeec3186dcaf747d15d48626d229fb61ab277c4bf

    SHA512

    fdd2bc4964146b9c540bf95872ca3c4a3aa66946c7371849d998ea1e13ba5497f697f12fd234c5f4bc139dc758efe521e1c7e24a67cde12f0cd8ac79e1946e03

    Download Submit
  • C:\Users\Admin\AppData\Roaming\8803869.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\8803869.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • memory/2436-164-0x000000000A490000-0x000000000A491000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2436-168-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2436-155-0x0000000000000000-mapping.dmp
    Download
  • memory/2436-172-0x000000000AFC0000-0x000000000AFC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2700-118-0x0000000000E60000-0x0000000000E61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2700-121-0x0000000005750000-0x0000000005751000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2700-120-0x0000000002F70000-0x0000000002F71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2816-144-0x0000000000F80000-0x0000000000F81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2816-147-0x00000000015B0000-0x00000000015B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2816-140-0x0000000000000000-mapping.dmp
    Download
  • memory/2816-154-0x0000000005830000-0x0000000005831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2816-148-0x000000000A3C0000-0x000000000A3C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3436-131-0x00000000006B0000-0x00000000006B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3436-136-0x0000000007360000-0x000000000739B000-memory.dmp
    Filesize

    236KB

    Download
  • memory/3436-128-0x0000000000000000-mapping.dmp
    Download
  • memory/3436-139-0x0000000007A20000-0x0000000007A21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3436-167-0x0000000002940000-0x0000000002941000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3984-173-0x00000000079F0000-0x00000000079F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3984-122-0x0000000000000000-mapping.dmp
    Download
  • memory/3984-169-0x0000000007F20000-0x0000000007F21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3984-153-0x00000000052C0000-0x00000000052C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3984-176-0x0000000007B90000-0x0000000007B91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3984-125-0x0000000000900000-0x0000000000901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3984-166-0x0000000007820000-0x0000000007821000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3984-127-0x0000000002B80000-0x0000000002BA5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/4092-162-0x0000000007530000-0x0000000007531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4092-165-0x0000000002950000-0x0000000002951000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4092-133-0x0000000000000000-mapping.dmp
    Download
  • memory/4092-152-0x0000000007600000-0x0000000007601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4092-170-0x0000000007570000-0x0000000007571000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4092-149-0x00000000074D0000-0x00000000074D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4092-137-0x00000000006F0000-0x00000000006F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4092-143-0x00000000073E0000-0x000000000741B000-memory.dmp
    Filesize

    236KB

    Download
  • memory/4092-178-0x0000000007880000-0x0000000007881000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4092-182-0x0000000007940000-0x0000000007941000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4092-189-0x0000000009140000-0x0000000009141000-memory.dmp
    Filesize

    4KB

    Download