Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
07-11-2021 08:46
Static task
static1
Behavioral task
behavioral1
Sample
5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5.exe
Resource
win10-en-20211014
General
-
Target
5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5.exe
-
Size
875KB
-
MD5
6441aef8da572f0501246046025c003b
-
SHA1
522662a7e934e94afc6c42a73ddfaede2df82d3c
-
SHA256
5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5
-
SHA512
12ca37966fcaebabf1f5768f4d344c8838ec18e6adbbe5dc9c4b8dafc7e0d2323119706f61586cc8ec5bfbceb561968230efdd1bebe1880f7329e1243d8ae54c
Malware Config
Extracted
redline
next2
bigboobstop.store:34585
boyshipgir.site:34585
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1516-129-0x0000000000F00000-0x0000000000F20000-memory.dmp family_redline behavioral1/memory/1516-138-0x0000000005390000-0x0000000005996000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
Far.exe.comFar.exe.comRegAsm.exepid process 1336 Far.exe.com 2240 Far.exe.com 1516 RegAsm.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Far.exe.comdescription pid process target process PID 2240 set thread context of 1516 2240 Far.exe.com RegAsm.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Far.exe.comFar.exe.compid process 1336 Far.exe.com 1336 Far.exe.com 1336 Far.exe.com 2240 Far.exe.com 2240 Far.exe.com 2240 Far.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Far.exe.comFar.exe.compid process 1336 Far.exe.com 1336 Far.exe.com 1336 Far.exe.com 2240 Far.exe.com 2240 Far.exe.com 2240 Far.exe.com -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5.execmd.execmd.exeFar.exe.comFar.exe.comdescription pid process target process PID 2752 wrote to memory of 3756 2752 5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5.exe at.exe PID 2752 wrote to memory of 3756 2752 5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5.exe at.exe PID 2752 wrote to memory of 3756 2752 5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5.exe at.exe PID 2752 wrote to memory of 2548 2752 5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5.exe cmd.exe PID 2752 wrote to memory of 2548 2752 5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5.exe cmd.exe PID 2752 wrote to memory of 2548 2752 5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5.exe cmd.exe PID 2548 wrote to memory of 3040 2548 cmd.exe cmd.exe PID 2548 wrote to memory of 3040 2548 cmd.exe cmd.exe PID 2548 wrote to memory of 3040 2548 cmd.exe cmd.exe PID 3040 wrote to memory of 3156 3040 cmd.exe findstr.exe PID 3040 wrote to memory of 3156 3040 cmd.exe findstr.exe PID 3040 wrote to memory of 3156 3040 cmd.exe findstr.exe PID 3040 wrote to memory of 1336 3040 cmd.exe Far.exe.com PID 3040 wrote to memory of 1336 3040 cmd.exe Far.exe.com PID 3040 wrote to memory of 1336 3040 cmd.exe Far.exe.com PID 3040 wrote to memory of 828 3040 cmd.exe PING.EXE PID 3040 wrote to memory of 828 3040 cmd.exe PING.EXE PID 3040 wrote to memory of 828 3040 cmd.exe PING.EXE PID 1336 wrote to memory of 2240 1336 Far.exe.com Far.exe.com PID 1336 wrote to memory of 2240 1336 Far.exe.com Far.exe.com PID 1336 wrote to memory of 2240 1336 Far.exe.com Far.exe.com PID 2240 wrote to memory of 1516 2240 Far.exe.com RegAsm.exe PID 2240 wrote to memory of 1516 2240 Far.exe.com RegAsm.exe PID 2240 wrote to memory of 1516 2240 Far.exe.com RegAsm.exe PID 2240 wrote to memory of 1516 2240 Far.exe.com RegAsm.exe PID 2240 wrote to memory of 1516 2240 Far.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5.exe"C:\Users\Admin\AppData\Local\Temp\5694c5dc54ff79ecc4c39d5b79c7266309c29016d061ca60d6cd1a123f9eafc5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeat.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Mio.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^gZJMDfNgAWulCLDMjPeUKjIgvqRGVCVqsGnJckfGtQKOFRSvdehObvfescfCbiaXwySWhTdwAvQTCUIEoxfTguDVsvaqVNoWnMNAYWpbMjgwFcAvNLxrRmJUBXERAfyMhTcPiiGjlSiwRCfWVWhla$" Bisogna.tmp4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Far.exe.comFar.exe.com s4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Far.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Far.exe.com s5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bisogna.tmpMD5
05ed656fc5cab18eb14af775be43148b
SHA148e5abc7aaed7afe9dc23d70f1d6e0be6004f4d4
SHA256425bccb6a2450d8de221ebe571246fa64d3f4a6db4e890e22eda985d37fe389f
SHA512d3c7bd62d782c89721cad2b548382c696b76270e6fab1ebb7c945392750a76b85a126e6bc213dfe8ec1b34689754c3a79a6be49fee02c124ece2cff323ff0f9c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Far.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Far.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Far.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mio.tmpMD5
291e3083211ce33a202c1dab5c6e525f
SHA18f96e0816d317f3fd9d8aaa3c166afaf1a4c96a6
SHA25682f5f782115b00ef70d0607bc3c9e0f138ee5180c41d08422e50a5ec08995754
SHA51214a4bfa4a034ed508a4fd837be8996554190a99ca37ec9543dfda6e607c98b7f115e07ae719c25627cc16435ebc3234703c36c82093b753e64900d96b2048785
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nudo.tmpMD5
9d60d7968b394af44a99597162f5d003
SHA1e7a6c00cd146e0eb3f0acef481e63e4ae2d5c6ae
SHA256a710b5979b22c93dbefed8680d754916df0b4ef310dc2ffcd4b17bf4c381df40
SHA512a9fa92dd81299020ff9b85495c4498e07ad186b95f4bc083b2dc675468fb137b418943af555e7b1b1b651a47a1dd3917222dce2495ce1ef5f2a138c2f277648d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMD5
9d60d7968b394af44a99597162f5d003
SHA1e7a6c00cd146e0eb3f0acef481e63e4ae2d5c6ae
SHA256a710b5979b22c93dbefed8680d754916df0b4ef310dc2ffcd4b17bf4c381df40
SHA512a9fa92dd81299020ff9b85495c4498e07ad186b95f4bc083b2dc675468fb137b418943af555e7b1b1b651a47a1dd3917222dce2495ce1ef5f2a138c2f277648d
-
memory/828-124-0x0000000000000000-mapping.dmp
-
memory/1336-122-0x0000000000000000-mapping.dmp
-
memory/1516-136-0x0000000002FF0000-0x0000000002FF1000-memory.dmpFilesize
4KB
-
memory/1516-140-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/1516-139-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/1516-138-0x0000000005390000-0x0000000005996000-memory.dmpFilesize
6.0MB
-
memory/1516-129-0x0000000000F00000-0x0000000000F20000-memory.dmpFilesize
128KB
-
memory/1516-137-0x00000000054A0000-0x00000000054A1000-memory.dmpFilesize
4KB
-
memory/1516-135-0x00000000059A0000-0x00000000059A1000-memory.dmpFilesize
4KB
-
memory/2240-126-0x0000000000000000-mapping.dmp
-
memory/2548-116-0x0000000000000000-mapping.dmp
-
memory/3040-118-0x0000000000000000-mapping.dmp
-
memory/3156-119-0x0000000000000000-mapping.dmp
-
memory/3756-115-0x0000000000000000-mapping.dmp