Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
14-11-2021 13:24
Static task
static1
Behavioral task
behavioral1
Sample
Fivem_Hack.exe
Resource
win7-en-20211104
General
-
Target
Fivem_Hack.exe
-
Size
324KB
-
MD5
9754ec8f2ce3f36f0a6109e9e133de0d
-
SHA1
b480383e43440e6dd25c12c223c4dc0aa1a2c3f2
-
SHA256
0453f9ed4c91eced248cfb6259286dd3a908dc470240dfae4ec4f41b68b9bc29
-
SHA512
dc712713aab342e8a4341a27029972fec3522e9c141c17e3e8a366909c0ffce54b43a5a4d30a649bdbd7331066f9767180dc3b6a0a8cf0276981413e6c9ebe75
Malware Config
Extracted
redline
164.132.202.23:35481
Extracted
redline
xxluchxx1
212.86.102.63:62907
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4348-122-0x00000000023E0000-0x00000000023FA000-memory.dmp family_redline behavioral2/memory/4696-133-0x0000000002830000-0x0000000002848000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
asfasf.exeMemo.exeLogeer.exepid process 4696 asfasf.exe 4584 Memo.exe 596 Logeer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1624 596 WerFault.exe Logeer.exe 1768 4584 WerFault.exe Memo.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Fivem_Hack.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fivem_Hack.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Fivem_Hack.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
Fivem_Hack.exeWerFault.exeWerFault.exeasfasf.exepid process 4348 Fivem_Hack.exe 4348 Fivem_Hack.exe 1624 WerFault.exe 1624 WerFault.exe 1624 WerFault.exe 1624 WerFault.exe 1624 WerFault.exe 1624 WerFault.exe 1624 WerFault.exe 1624 WerFault.exe 1624 WerFault.exe 1624 WerFault.exe 1624 WerFault.exe 1624 WerFault.exe 1624 WerFault.exe 1624 WerFault.exe 1768 WerFault.exe 1768 WerFault.exe 1768 WerFault.exe 1768 WerFault.exe 1768 WerFault.exe 1768 WerFault.exe 1768 WerFault.exe 1768 WerFault.exe 1768 WerFault.exe 1768 WerFault.exe 1768 WerFault.exe 1768 WerFault.exe 1768 WerFault.exe 1768 WerFault.exe 4696 asfasf.exe 4348 Fivem_Hack.exe 4696 asfasf.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Fivem_Hack.exeasfasf.exeWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 4348 Fivem_Hack.exe Token: SeDebugPrivilege 4696 asfasf.exe Token: SeDebugPrivilege 1624 WerFault.exe Token: SeDebugPrivilege 1768 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Fivem_Hack.exedescription pid process target process PID 4348 wrote to memory of 4696 4348 Fivem_Hack.exe asfasf.exe PID 4348 wrote to memory of 4696 4348 Fivem_Hack.exe asfasf.exe PID 4348 wrote to memory of 4584 4348 Fivem_Hack.exe Memo.exe PID 4348 wrote to memory of 4584 4348 Fivem_Hack.exe Memo.exe PID 4348 wrote to memory of 596 4348 Fivem_Hack.exe Logeer.exe PID 4348 wrote to memory of 596 4348 Fivem_Hack.exe Logeer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fivem_Hack.exe"C:\Users\Admin\AppData\Local\Temp\Fivem_Hack.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\asfasf.exe"C:\Users\Admin\AppData\Roaming\asfasf.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Memo.exe"C:\Users\Admin\AppData\Roaming\Memo.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4584 -s 9483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Logeer.exe"C:\Users\Admin\AppData\Roaming\Logeer.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 596 -s 9483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Logeer.exeMD5
4108f630579979cfb8ca2bc73dcbdc07
SHA15d3e9ee3e462dbcf826aa3996c46378effc736a5
SHA2562776a758c38bf9f909a46c0e58dc62a2b5f620e487a06f43aca79ca61d110fe6
SHA51229aba2fb144957696d55a4c5b753057ed8a829299da23fc8d48820248cefac43068c2ddd36543c8d208460efb0caae6e2beff087ada937849f1ab51e9520d6b5
-
C:\Users\Admin\AppData\Roaming\Logeer.exeMD5
4108f630579979cfb8ca2bc73dcbdc07
SHA15d3e9ee3e462dbcf826aa3996c46378effc736a5
SHA2562776a758c38bf9f909a46c0e58dc62a2b5f620e487a06f43aca79ca61d110fe6
SHA51229aba2fb144957696d55a4c5b753057ed8a829299da23fc8d48820248cefac43068c2ddd36543c8d208460efb0caae6e2beff087ada937849f1ab51e9520d6b5
-
C:\Users\Admin\AppData\Roaming\Memo.exeMD5
d663f5a1f4c8bf1bacb90324e7a38b64
SHA1da0de378bcb909cf82a6a2b5766aff961c9b6bf5
SHA2561791d0763a544911852e4ecde3ea6a0e3cb72aaec45bfae7cea2b1780f285c9d
SHA51249189e9a346f785071bf51c391264dd303c74411c4bf258d9f34d64d197db00f28b2fd1f0c451e9c5b1aa44199bfb876c6b3470dd9e435387b55d630330d9563
-
C:\Users\Admin\AppData\Roaming\Memo.exeMD5
d663f5a1f4c8bf1bacb90324e7a38b64
SHA1da0de378bcb909cf82a6a2b5766aff961c9b6bf5
SHA2561791d0763a544911852e4ecde3ea6a0e3cb72aaec45bfae7cea2b1780f285c9d
SHA51249189e9a346f785071bf51c391264dd303c74411c4bf258d9f34d64d197db00f28b2fd1f0c451e9c5b1aa44199bfb876c6b3470dd9e435387b55d630330d9563
-
C:\Users\Admin\AppData\Roaming\asfasf.exeMD5
9a9120e7087d20b64a15693c53c4a9a4
SHA1190ace4b886f2d5de5526234b40e7186952d771d
SHA256b30a0a7e75cca6ec22a4628567fb057dfc22bfd04381bc97b1a1da6f05769ea2
SHA5122a62e17df72e9ef31a68231ba8b949e02ca4b518c5f5836878203f8c46ce689bfa7de700b6eba38a309b2c30cf862621907e9ab2cf1e7b2d31039a64465db5fe
-
C:\Users\Admin\AppData\Roaming\asfasf.exeMD5
9a9120e7087d20b64a15693c53c4a9a4
SHA1190ace4b886f2d5de5526234b40e7186952d771d
SHA256b30a0a7e75cca6ec22a4628567fb057dfc22bfd04381bc97b1a1da6f05769ea2
SHA5122a62e17df72e9ef31a68231ba8b949e02ca4b518c5f5836878203f8c46ce689bfa7de700b6eba38a309b2c30cf862621907e9ab2cf1e7b2d31039a64465db5fe
-
memory/596-136-0x0000000000000000-mapping.dmp
-
memory/596-148-0x0000022E1A900000-0x0000022E1AC2C000-memory.dmpFilesize
3.2MB
-
memory/596-150-0x0000022E1A8F0000-0x0000022E1A8F2000-memory.dmpFilesize
8KB
-
memory/596-141-0x0000022E00000000-0x0000022E00001000-memory.dmpFilesize
4KB
-
memory/4348-120-0x000000001AE80000-0x000000001AE81000-memory.dmpFilesize
4KB
-
memory/4348-144-0x000000001B140000-0x000000001B141000-memory.dmpFilesize
4KB
-
memory/4348-123-0x0000000002420000-0x0000000002421000-memory.dmpFilesize
4KB
-
memory/4348-143-0x000000001DAA0000-0x000000001DAA1000-memory.dmpFilesize
4KB
-
memory/4348-118-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/4348-153-0x000000001EF30000-0x000000001EF31000-memory.dmpFilesize
4KB
-
memory/4348-121-0x0000000002280000-0x0000000002282000-memory.dmpFilesize
8KB
-
memory/4348-152-0x000000001E830000-0x000000001E831000-memory.dmpFilesize
4KB
-
memory/4348-122-0x00000000023E0000-0x00000000023FA000-memory.dmpFilesize
104KB
-
memory/4348-156-0x000000001DC00000-0x000000001DC01000-memory.dmpFilesize
4KB
-
memory/4348-145-0x000000001B1A0000-0x000000001B1A1000-memory.dmpFilesize
4KB
-
memory/4584-149-0x00000189691B0000-0x0000018969493000-memory.dmpFilesize
2.9MB
-
memory/4584-151-0x00000189691A0000-0x00000189691A2000-memory.dmpFilesize
8KB
-
memory/4584-129-0x0000000000000000-mapping.dmp
-
memory/4584-134-0x0000018966790000-0x0000018966791000-memory.dmpFilesize
4KB
-
memory/4696-124-0x0000000000000000-mapping.dmp
-
memory/4696-133-0x0000000002830000-0x0000000002848000-memory.dmpFilesize
96KB
-
memory/4696-127-0x0000000000720000-0x0000000000721000-memory.dmpFilesize
4KB
-
memory/4696-138-0x000000001B4D0000-0x000000001B4D2000-memory.dmpFilesize
8KB