Overview

overview

10

Static

static

5694c5dc54...1c.exe

windows7_x64

10

5694c5dc54...1c.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    06-11-2021 20:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5694c5dc54ff79ecc4c39d5b79c7266309c29016d061c.exe

  • Size

    875KB

  • MD5

    6441aef8da572f0501246046025c003b

  • SHA1

    522662a7e934e94afc6c42a73ddfaede2df82d3c

  • SHA256

    5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5

  • SHA512

    12ca37966fcaebabf1f5768f4d344c8838ec18e6adbbe5dc9c4b8dafc7e0d2323119706f61586cc8ec5bfbceb561968230efdd1bebe1880f7329e1243d8ae54c

Score
10/10
redlinenext2discoveryinfostealerpersistencespywarestealer

Malware Config

Extracted

Family

redline

Botnet

next2

C2

bigboobstop.store:34585

boyshipgir.site:34585

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5694c5dc54ff79ecc4c39d5b79c7266309c29016d061c.exe
    "C:\Users\Admin\AppData\Local\Temp\5694c5dc54ff79ecc4c39d5b79c7266309c29016d061c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4088
    • C:\Windows\SysWOW64\at.exe
      at.exe
      2⤵
        PID:648
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cmd < Mio.tmp
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1476
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^gZJMDfNgAWulCLDMjPeUKjIgvqRGVCVqsGnJckfGtQKOFRSvdehObvfescfCbiaXwySWhTdwAvQTCUIEoxfTguDVsvaqVNoWnMNAYWpbMjgwFcAvNLxrRmJUBXERAfyMhTcPiiGjlSiwRCfWVWhla$" Bisogna.tmp
            4⤵
              PID:1328
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Far.exe.com
              Far.exe.com s
              4⤵
              • Executes dropped EXE
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:2400
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Far.exe.com
                C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Far.exe.com s
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:3468
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1592
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:68

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      1
      T1012

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bisogna.tmp
        MD5

        05ed656fc5cab18eb14af775be43148b

        SHA1

        48e5abc7aaed7afe9dc23d70f1d6e0be6004f4d4

        SHA256

        425bccb6a2450d8de221ebe571246fa64d3f4a6db4e890e22eda985d37fe389f

        SHA512

        d3c7bd62d782c89721cad2b548382c696b76270e6fab1ebb7c945392750a76b85a126e6bc213dfe8ec1b34689754c3a79a6be49fee02c124ece2cff323ff0f9c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Far.exe.com
        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Far.exe.com
        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Far.exe.com
        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mio.tmp
        MD5

        291e3083211ce33a202c1dab5c6e525f

        SHA1

        8f96e0816d317f3fd9d8aaa3c166afaf1a4c96a6

        SHA256

        82f5f782115b00ef70d0607bc3c9e0f138ee5180c41d08422e50a5ec08995754

        SHA512

        14a4bfa4a034ed508a4fd837be8996554190a99ca37ec9543dfda6e607c98b7f115e07ae719c25627cc16435ebc3234703c36c82093b753e64900d96b2048785

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nudo.tmp
        MD5

        9d60d7968b394af44a99597162f5d003

        SHA1

        e7a6c00cd146e0eb3f0acef481e63e4ae2d5c6ae

        SHA256

        a710b5979b22c93dbefed8680d754916df0b4ef310dc2ffcd4b17bf4c381df40

        SHA512

        a9fa92dd81299020ff9b85495c4498e07ad186b95f4bc083b2dc675468fb137b418943af555e7b1b1b651a47a1dd3917222dce2495ce1ef5f2a138c2f277648d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
        MD5

        b58b926c3574d28d5b7fdd2ca3ec30d5

        SHA1

        d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

        SHA256

        6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

        SHA512

        b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
        MD5

        b58b926c3574d28d5b7fdd2ca3ec30d5

        SHA1

        d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

        SHA256

        6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

        SHA512

        b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s
        MD5

        9d60d7968b394af44a99597162f5d003

        SHA1

        e7a6c00cd146e0eb3f0acef481e63e4ae2d5c6ae

        SHA256

        a710b5979b22c93dbefed8680d754916df0b4ef310dc2ffcd4b17bf4c381df40

        SHA512

        a9fa92dd81299020ff9b85495c4498e07ad186b95f4bc083b2dc675468fb137b418943af555e7b1b1b651a47a1dd3917222dce2495ce1ef5f2a138c2f277648d

        Download Submit
      • memory/68-127-0x0000000000000000-mapping.dmp
        Download
      • memory/648-118-0x0000000000000000-mapping.dmp
        Download
      • memory/1328-122-0x0000000000000000-mapping.dmp
        Download
      • memory/1476-121-0x0000000000000000-mapping.dmp
        Download
      • memory/1592-142-0x00000000058C0000-0x00000000058C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1592-143-0x0000000005790000-0x0000000005D96000-memory.dmp
        Filesize

        6.0MB

        Download
      • memory/1592-151-0x0000000007B80000-0x0000000007B81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1592-150-0x0000000007480000-0x0000000007481000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1592-138-0x0000000005DA0000-0x0000000005DA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1592-139-0x0000000005820000-0x0000000005821000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1592-140-0x0000000005950000-0x0000000005951000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1592-141-0x0000000005880000-0x0000000005881000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1592-149-0x0000000007260000-0x0000000007261000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1592-132-0x00000000011D0000-0x00000000011F0000-memory.dmp
        Filesize

        128KB

        Download
      • memory/1592-144-0x00000000068B0000-0x00000000068B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1592-145-0x0000000005C30000-0x0000000005C31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1592-146-0x0000000006780000-0x0000000006781000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1592-147-0x0000000006DB0000-0x0000000006DB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1592-148-0x0000000006E50000-0x0000000006E51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2400-125-0x0000000000000000-mapping.dmp
        Download
      • memory/2712-119-0x0000000000000000-mapping.dmp
        Download
      • memory/3468-129-0x0000000000000000-mapping.dmp
        Download