Analysis

  • max time kernel
    163s
  • max time network
    181s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    08-11-2021 10:07

General

  • Target

    1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe

  • Size

    3.5MB

  • MD5

    e50d513140faae89008c9c433ed162a5

  • SHA1

    9b6ca10865926ae6113df2ff7f14649b9d17a153

  • SHA256

    1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62

  • SHA512

    f40b5abb0d3f1205a892c9e506c8c009d0a37785581f3b8c6f7d573d21c098ef3b3a462492b4c178b3ae51786b5ba5528959953b6df0fcf1c646e148811e00bf

Malware Config

Extracted

Family

redline

Botnet

Chris

C2

194.104.136.5:46013

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 3 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 18 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops Chrome extension 1 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 9 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 16 IoCs