Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
14-11-2021 13:24
Static task
static1
Behavioral task
behavioral1
Sample
Fivem_Hack.exe
Resource
win7-en-20211104
General
-
Target
Fivem_Hack.exe
-
Size
324KB
-
MD5
9754ec8f2ce3f36f0a6109e9e133de0d
-
SHA1
b480383e43440e6dd25c12c223c4dc0aa1a2c3f2
-
SHA256
0453f9ed4c91eced248cfb6259286dd3a908dc470240dfae4ec4f41b68b9bc29
-
SHA512
dc712713aab342e8a4341a27029972fec3522e9c141c17e3e8a366909c0ffce54b43a5a4d30a649bdbd7331066f9767180dc3b6a0a8cf0276981413e6c9ebe75
Malware Config
Extracted
redline
164.132.202.23:35481
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1080-57-0x0000000000410000-0x000000000042A000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Fivem_Hack.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fivem_Hack.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Fivem_Hack.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Fivem_Hack.exepid process 1080 Fivem_Hack.exe 1080 Fivem_Hack.exe 1080 Fivem_Hack.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Fivem_Hack.exedescription pid process Token: SeDebugPrivilege 1080 Fivem_Hack.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1080-55-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/1080-57-0x0000000000410000-0x000000000042A000-memory.dmpFilesize
104KB
-
memory/1080-58-0x000000001B210000-0x000000001B212000-memory.dmpFilesize
8KB
-
memory/1080-59-0x000000001B216000-0x000000001B235000-memory.dmpFilesize
124KB