Overview

overview

10

Static

static

Fivem_Hack.exe

windows7_x64

10

Fivem_Hack.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    14-11-2021 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fivem_Hack.exe

  • Size

    324KB

  • MD5

    9754ec8f2ce3f36f0a6109e9e133de0d

  • SHA1

    b480383e43440e6dd25c12c223c4dc0aa1a2c3f2

  • SHA256

    0453f9ed4c91eced248cfb6259286dd3a908dc470240dfae4ec4f41b68b9bc29

  • SHA512

    dc712713aab342e8a4341a27029972fec3522e9c141c17e3e8a366909c0ffce54b43a5a4d30a649bdbd7331066f9767180dc3b6a0a8cf0276981413e6c9ebe75

Score
10/10
redlinexxluchxx1discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

C2

164.132.202.23:35481

Extracted

Family

redline

Botnet

xxluchxx1

C2

212.86.102.63:62907

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fivem_Hack.exe
    "C:\Users\Admin\AppData\Local\Temp\Fivem_Hack.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4348
    • C:\Users\Admin\AppData\Roaming\asfasf.exe
      "C:\Users\Admin\AppData\Roaming\asfasf.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4696
    • C:\Users\Admin\AppData\Roaming\Memo.exe
      "C:\Users\Admin\AppData\Roaming\Memo.exe"
      2⤵
      • Executes dropped EXE
      PID:4584
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4584 -s 948
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1768
    • C:\Users\Admin\AppData\Roaming\Logeer.exe
      "C:\Users\Admin\AppData\Roaming\Logeer.exe"
      2⤵
      • Executes dropped EXE
      PID:596
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 596 -s 948
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Logeer.exe
    MD5

    4108f630579979cfb8ca2bc73dcbdc07

    SHA1

    5d3e9ee3e462dbcf826aa3996c46378effc736a5

    SHA256

    2776a758c38bf9f909a46c0e58dc62a2b5f620e487a06f43aca79ca61d110fe6

    SHA512

    29aba2fb144957696d55a4c5b753057ed8a829299da23fc8d48820248cefac43068c2ddd36543c8d208460efb0caae6e2beff087ada937849f1ab51e9520d6b5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Logeer.exe
    MD5

    4108f630579979cfb8ca2bc73dcbdc07

    SHA1

    5d3e9ee3e462dbcf826aa3996c46378effc736a5

    SHA256

    2776a758c38bf9f909a46c0e58dc62a2b5f620e487a06f43aca79ca61d110fe6

    SHA512

    29aba2fb144957696d55a4c5b753057ed8a829299da23fc8d48820248cefac43068c2ddd36543c8d208460efb0caae6e2beff087ada937849f1ab51e9520d6b5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Memo.exe
    MD5

    d663f5a1f4c8bf1bacb90324e7a38b64

    SHA1

    da0de378bcb909cf82a6a2b5766aff961c9b6bf5

    SHA256

    1791d0763a544911852e4ecde3ea6a0e3cb72aaec45bfae7cea2b1780f285c9d

    SHA512

    49189e9a346f785071bf51c391264dd303c74411c4bf258d9f34d64d197db00f28b2fd1f0c451e9c5b1aa44199bfb876c6b3470dd9e435387b55d630330d9563

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Memo.exe
    MD5

    d663f5a1f4c8bf1bacb90324e7a38b64

    SHA1

    da0de378bcb909cf82a6a2b5766aff961c9b6bf5

    SHA256

    1791d0763a544911852e4ecde3ea6a0e3cb72aaec45bfae7cea2b1780f285c9d

    SHA512

    49189e9a346f785071bf51c391264dd303c74411c4bf258d9f34d64d197db00f28b2fd1f0c451e9c5b1aa44199bfb876c6b3470dd9e435387b55d630330d9563

    Download Submit
  • C:\Users\Admin\AppData\Roaming\asfasf.exe
    MD5

    9a9120e7087d20b64a15693c53c4a9a4

    SHA1

    190ace4b886f2d5de5526234b40e7186952d771d

    SHA256

    b30a0a7e75cca6ec22a4628567fb057dfc22bfd04381bc97b1a1da6f05769ea2

    SHA512

    2a62e17df72e9ef31a68231ba8b949e02ca4b518c5f5836878203f8c46ce689bfa7de700b6eba38a309b2c30cf862621907e9ab2cf1e7b2d31039a64465db5fe

    Download Submit
  • C:\Users\Admin\AppData\Roaming\asfasf.exe
    MD5

    9a9120e7087d20b64a15693c53c4a9a4

    SHA1

    190ace4b886f2d5de5526234b40e7186952d771d

    SHA256

    b30a0a7e75cca6ec22a4628567fb057dfc22bfd04381bc97b1a1da6f05769ea2

    SHA512

    2a62e17df72e9ef31a68231ba8b949e02ca4b518c5f5836878203f8c46ce689bfa7de700b6eba38a309b2c30cf862621907e9ab2cf1e7b2d31039a64465db5fe

    Download Submit
  • memory/596-136-0x0000000000000000-mapping.dmp
    Download
  • memory/596-148-0x0000022E1A900000-0x0000022E1AC2C000-memory.dmp
    Filesize

    3.2MB

    Download
  • memory/596-150-0x0000022E1A8F0000-0x0000022E1A8F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/596-141-0x0000022E00000000-0x0000022E00001000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4348-120-0x000000001AE80000-0x000000001AE81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4348-144-0x000000001B140000-0x000000001B141000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4348-123-0x0000000002420000-0x0000000002421000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4348-143-0x000000001DAA0000-0x000000001DAA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4348-118-0x0000000000140000-0x0000000000141000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4348-153-0x000000001EF30000-0x000000001EF31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4348-121-0x0000000002280000-0x0000000002282000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4348-152-0x000000001E830000-0x000000001E831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4348-122-0x00000000023E0000-0x00000000023FA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4348-156-0x000000001DC00000-0x000000001DC01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4348-145-0x000000001B1A0000-0x000000001B1A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4584-149-0x00000189691B0000-0x0000018969493000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/4584-151-0x00000189691A0000-0x00000189691A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4584-129-0x0000000000000000-mapping.dmp
    Download
  • memory/4584-134-0x0000018966790000-0x0000018966791000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4696-124-0x0000000000000000-mapping.dmp
    Download
  • memory/4696-133-0x0000000002830000-0x0000000002848000-memory.dmp
    Filesize

    96KB

    Download
  • memory/4696-127-0x0000000000720000-0x0000000000721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4696-138-0x000000001B4D0000-0x000000001B4D2000-memory.dmp
    Filesize

    8KB

    Download