Overview

overview

10

Static

static

10

setup_inst...32.exe

windows7_x64

10

setup_inst...32.exe

windows10_x64

10

setup_inst...2b.exe

windows7_x64

8

setup_inst...2b.exe

windows10_x64

8

setup_inst...61.exe

windows7_x64

10

setup_inst...61.exe

windows10_x64

10

setup_inst...f8.exe

windows7_x64

10

setup_inst...f8.exe

windows10_x64

10

setup_inst...34.exe

windows7_x64

10

setup_inst...34.exe

windows10_x64

10

setup_inst...c2.exe

windows7_x64

3

setup_inst...c2.exe

windows10_x64

10

setup_inst...cb.exe

windows7_x64

10

setup_inst...cb.exe

windows10_x64

10

setup_inst...90.exe

windows7_x64

10

setup_inst...90.exe

windows10_x64

10

setup_inst...79.exe

windows7_x64

6

setup_inst...79.exe

windows10_x64

6

setup_inst...d8.exe

windows7_x64

7

setup_inst...d8.exe

windows10_x64

3

setup_inst...3b.exe

windows7_x64

8

setup_inst...3b.exe

windows10_x64

8

setup_inst...ac.exe

windows7_x64

10

setup_inst...ac.exe

windows10_x64

10

setup_inst...38.exe

windows7_x64

10

setup_inst...38.exe

windows10_x64

10

setup_inst...b5.exe

windows7_x64

10

setup_inst...b5.exe

windows10_x64

10

setup_inst...b2.exe

windows7_x64

7

setup_inst...b2.exe

windows10_x64

7

setup_inst...rl.dll

windows7_x64

3

setup_inst...rl.dll

windows10_x64

3

Resubmissions

27-10-2021 14:44

211027-r4madafbg6 10

27-10-2021 14:28

211027-rs7f6sfah4 10

Analysis

  • max time kernel
    120s
  • max time network
    138s
  • submitted
    01-01-1970 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_installer/Wed09b3a5ca1a712d390.exe

Score
10/10
redlinediscoveryinfostealerpersistencespywarestealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09b3a5ca1a712d390.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09b3a5ca1a712d390.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3688
    • C:\Users\Admin\AppData\Roaming\2735434.exe
      "C:\Users\Admin\AppData\Roaming\2735434.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:876
    • C:\Users\Admin\AppData\Roaming\2392300.exe
      "C:\Users\Admin\AppData\Roaming\2392300.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3960
    • C:\Users\Admin\AppData\Roaming\5775033.exe
      "C:\Users\Admin\AppData\Roaming\5775033.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3608
    • C:\Users\Admin\AppData\Roaming\7216295.exe
      "C:\Users\Admin\AppData\Roaming\7216295.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3336
      • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        3⤵
        • Executes dropped EXE
        PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\2392300.exe
    MD5

    ff722d7588cb426273a38d99bab58e16

    SHA1

    7a0bdf89467f0296980c3e7b3cebdf2a18d00808

    SHA256

    6a85aa395bafcc389c947aca9a23bcdd4a665d0420b46d1a8785e404e0486056

    SHA512

    0d97b46e0451e09901b57ea4e132b9b7e1f8e78d3edf961218fab0043abdb1c063301f51ad77e06cd4805ec9b5842c74c5f0a5d8bf82d3ae2371ea5d286c4693

    Download Submit
  • C:\Users\Admin\AppData\Roaming\2392300.exe
    MD5

    ff722d7588cb426273a38d99bab58e16

    SHA1

    7a0bdf89467f0296980c3e7b3cebdf2a18d00808

    SHA256

    6a85aa395bafcc389c947aca9a23bcdd4a665d0420b46d1a8785e404e0486056

    SHA512

    0d97b46e0451e09901b57ea4e132b9b7e1f8e78d3edf961218fab0043abdb1c063301f51ad77e06cd4805ec9b5842c74c5f0a5d8bf82d3ae2371ea5d286c4693

    Download Submit
  • C:\Users\Admin\AppData\Roaming\2735434.exe
    MD5

    40b56ffaf0b24fee5bde1e1fb7212f2f

    SHA1

    ba5948f06bde7c7a92f5823ec7dfd748d336b5b0

    SHA256

    874d7a7825a86d7ac4d4b8aaeec3186dcaf747d15d48626d229fb61ab277c4bf

    SHA512

    fdd2bc4964146b9c540bf95872ca3c4a3aa66946c7371849d998ea1e13ba5497f697f12fd234c5f4bc139dc758efe521e1c7e24a67cde12f0cd8ac79e1946e03

    Download Submit
  • C:\Users\Admin\AppData\Roaming\2735434.exe
    MD5

    40b56ffaf0b24fee5bde1e1fb7212f2f

    SHA1

    ba5948f06bde7c7a92f5823ec7dfd748d336b5b0

    SHA256

    874d7a7825a86d7ac4d4b8aaeec3186dcaf747d15d48626d229fb61ab277c4bf

    SHA512

    fdd2bc4964146b9c540bf95872ca3c4a3aa66946c7371849d998ea1e13ba5497f697f12fd234c5f4bc139dc758efe521e1c7e24a67cde12f0cd8ac79e1946e03

    Download Submit
  • C:\Users\Admin\AppData\Roaming\5775033.exe
    MD5

    77172e261caaf310b7f2e68fe5ca0012

    SHA1

    f7656bed5475b06379898d3a7abac8bbfa41671f

    SHA256

    bd84d36b0ef7d50d628018a588c13acc143339dc4443bc21dfb55bce5a4a260d

    SHA512

    34b06f9825e8ea3ad69efe8fcbea34770df871a88e4a715de384f20afbcd0990052de582a6c6c3538f7de1616e4d569c21dc2f0cbc75bd1a988aa8495cebd3fc

    Download Submit
  • C:\Users\Admin\AppData\Roaming\5775033.exe
    MD5

    77172e261caaf310b7f2e68fe5ca0012

    SHA1

    f7656bed5475b06379898d3a7abac8bbfa41671f

    SHA256

    bd84d36b0ef7d50d628018a588c13acc143339dc4443bc21dfb55bce5a4a260d

    SHA512

    34b06f9825e8ea3ad69efe8fcbea34770df871a88e4a715de384f20afbcd0990052de582a6c6c3538f7de1616e4d569c21dc2f0cbc75bd1a988aa8495cebd3fc

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7216295.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7216295.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • memory/876-173-0x0000000007740000-0x0000000007741000-memory.dmp
    Filesize

    4KB

    Download
  • memory/876-149-0x0000000007290000-0x0000000007291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/876-119-0x0000000000000000-mapping.dmp
    Download
  • memory/876-151-0x0000000007990000-0x0000000007991000-memory.dmp
    Filesize

    4KB

    Download
  • memory/876-124-0x0000000007020000-0x0000000007045000-memory.dmp
    Filesize

    148KB

    Download
  • memory/876-122-0x00000000003A0000-0x00000000003A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/876-166-0x0000000007500000-0x0000000007501000-memory.dmp
    Filesize

    4KB

    Download
  • memory/876-136-0x0000000004B60000-0x0000000004B61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2672-169-0x00000000012B0000-0x00000000012B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2672-163-0x000000000AA70000-0x000000000AA71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2672-156-0x0000000000000000-mapping.dmp
    Download
  • memory/2672-170-0x000000000B5A0000-0x000000000B5A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3336-135-0x0000000000000000-mapping.dmp
    Download
  • memory/3336-153-0x0000000005420000-0x0000000005421000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3336-141-0x0000000000B70000-0x0000000000B71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3336-150-0x000000000AFB0000-0x000000000AFB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3336-147-0x0000000001520000-0x0000000001521000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3608-129-0x0000000000000000-mapping.dmp
    Download
  • memory/3608-133-0x0000000000520000-0x0000000000521000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3608-144-0x0000000004CE0000-0x0000000004D1B000-memory.dmp
    Filesize

    236KB

    Download
  • memory/3608-188-0x0000000009AE0000-0x0000000009AE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3608-179-0x0000000007770000-0x0000000007771000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3608-155-0x0000000004F30000-0x0000000004F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3608-174-0x0000000007690000-0x0000000007691000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3608-167-0x0000000007380000-0x0000000007381000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3688-115-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3688-118-0x0000000005790000-0x0000000005791000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3688-117-0x0000000002FD0000-0x0000000002FD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3960-128-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3960-145-0x0000000007150000-0x0000000007151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3960-164-0x0000000007080000-0x0000000007081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3960-139-0x0000000002340000-0x000000000237B000-memory.dmp
    Filesize

    236KB

    Download
  • memory/3960-125-0x0000000000000000-mapping.dmp
    Download
  • memory/3960-140-0x0000000007630000-0x0000000007631000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3960-154-0x0000000004C90000-0x0000000004C91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3960-143-0x0000000007020000-0x0000000007021000-memory.dmp
    Filesize

    4KB

    Download