Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
15-11-2021 07:57
Static task
static1
Behavioral task
behavioral1
Sample
EFT Hack.exe
Resource
win7-en-20211104
General
-
Target
EFT Hack.exe
-
Size
350KB
-
MD5
8a5f138470d1421585b558043b8d26fa
-
SHA1
56759e6f4c2eb180fb449ddb620f5219a809b5b8
-
SHA256
f7971194bce16c44ebfe7a2fcca4f2c1dbfedb50394b2fa90e789caafdef07cc
-
SHA512
cd041591b172a02eb176fbdf47d7582dba547c253efd248c1ea45fc06161d0f4e0d84e7e8455690412ee6a194f7475fbb762fccd927afe95d6e3193460e3dd7e
Malware Config
Extracted
redline
23.88.109.42:55961
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1876-62-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline behavioral1/memory/1876-61-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline behavioral1/memory/1876-64-0x000000000041B41E-mapping.dmp family_redline behavioral1/memory/1876-65-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline behavioral1/memory/1876-68-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline behavioral1/memory/1876-71-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
EFT Hack.exedescription pid process target process PID 536 set thread context of 1876 536 EFT Hack.exe EFT Hack.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EFT Hack.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EFT Hack.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 EFT Hack.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
EFT Hack.exepid process 1876 EFT Hack.exe 1876 EFT Hack.exe 1876 EFT Hack.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
EFT Hack.exedescription pid process Token: SeDebugPrivilege 1876 EFT Hack.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
EFT Hack.exedescription pid process target process PID 536 wrote to memory of 1876 536 EFT Hack.exe EFT Hack.exe PID 536 wrote to memory of 1876 536 EFT Hack.exe EFT Hack.exe PID 536 wrote to memory of 1876 536 EFT Hack.exe EFT Hack.exe PID 536 wrote to memory of 1876 536 EFT Hack.exe EFT Hack.exe PID 536 wrote to memory of 1876 536 EFT Hack.exe EFT Hack.exe PID 536 wrote to memory of 1876 536 EFT Hack.exe EFT Hack.exe PID 536 wrote to memory of 1876 536 EFT Hack.exe EFT Hack.exe PID 536 wrote to memory of 1876 536 EFT Hack.exe EFT Hack.exe PID 536 wrote to memory of 1876 536 EFT Hack.exe EFT Hack.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EFT Hack.exe"C:\Users\Admin\AppData\Local\Temp\EFT Hack.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EFT Hack.exe"C:\Users\Admin\AppData\Local\Temp\EFT Hack.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/536-55-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/536-57-0x00000000765D1000-0x00000000765D3000-memory.dmpFilesize
8KB
-
memory/536-58-0x0000000000590000-0x0000000000591000-memory.dmpFilesize
4KB
-
memory/1876-59-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/1876-60-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/1876-62-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/1876-61-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/1876-64-0x000000000041B41E-mapping.dmp
-
memory/1876-65-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/1876-68-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/1876-71-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/1876-72-0x0000000000080000-0x0000000000082000-memory.dmpFilesize
8KB
-
memory/1876-74-0x0000000004710000-0x0000000004711000-memory.dmpFilesize
4KB