Overview

overview

10

Static

static

6c251106b9...4a.exe

windows7_x64

10

6c251106b9...4a.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    28-11-2021 05:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe

  • Size

    552KB

  • MD5

    c986e3f232dd71ac91e33cbbddf25c0a

  • SHA1

    c0d65b2188e25c1e62de1d8bd5c4dc67f49ef248

  • SHA256

    6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9

  • SHA512

    e36e7e15e6e8c266e168e9570f8d08082ca8dd2d85cb6edbf5eb61ca63dacfe1db92eed9724346d3c39effa51d14dc65a23c767a4a184447032a19241482dd21

Score
10/10
redline456390robotdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

Robot

C2

178.238.8.47:36439

Extracted

Family

redline

Botnet

456390

C2

45.77.80.187:15300

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 7 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe
    "C:\Users\Admin\AppData\Local\Temp\6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:524
    • C:\Users\Admin\AppData\Local\Temp\Netflix.exe
      "C:\Users\Admin\AppData\Local\Temp\Netflix.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        #cmd
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1244
    • C:\Users\Admin\AppData\Local\Temp\Robot_20.exe
      "C:\Users\Admin\AppData\Local\Temp\Robot_20.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Netflix.exe
    MD5

    286b2514208110bab3196a61039fa4dd

    SHA1

    9d6bb9c38fd9b923a23f83c1e7dc0d8dca3552a7

    SHA256

    9c49f49218eaaae954e25937c328e7404dd1d61ca13b44b00eb2500034492bfe

    SHA512

    92382bde2186e392dac8340d2fb89a3b8ae7832a783eda344f16970b743f005dbc6626ba59ffc4b875ab8f74bb89f89144a0380b0b44ed7f996e147371958288

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Netflix.exe
    MD5

    286b2514208110bab3196a61039fa4dd

    SHA1

    9d6bb9c38fd9b923a23f83c1e7dc0d8dca3552a7

    SHA256

    9c49f49218eaaae954e25937c328e7404dd1d61ca13b44b00eb2500034492bfe

    SHA512

    92382bde2186e392dac8340d2fb89a3b8ae7832a783eda344f16970b743f005dbc6626ba59ffc4b875ab8f74bb89f89144a0380b0b44ed7f996e147371958288

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Robot_20.exe
    MD5

    9854e0dcb0cf68a1996acd5b801f1e4b

    SHA1

    883e60ef57ac00c3da29f3e186c2df7bd6acc7b3

    SHA256

    a5ba452a894d5cb2270dfe4ba6cae0df50f2b590bec3df5ac409678c2c6fb938

    SHA512

    a63a74d11cfd9e675b5437365acf11d02f958c71acdfa1bf3b5bf3936806d97c3784e121010c587c87d9b71ed2ff497fe7be314113996f025048e68fcac1bd33

    Download Submit
  • memory/524-55-0x00000000012F0000-0x00000000012F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/524-57-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1244-84-0x0000000004E50000-0x0000000004E51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1244-82-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1244-75-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1244-81-0x0000000075851000-0x0000000075853000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1244-80-0x000000000041A2AE-mapping.dmp
    Download
  • memory/1244-79-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1244-78-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1244-77-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1244-76-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1432-61-0x0000000001290000-0x0000000001291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1432-69-0x000000001B210000-0x000000001B212000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1432-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1840-72-0x0000000004700000-0x000000000472C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1840-73-0x00000000048A3000-0x00000000048A4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1840-74-0x00000000048A4000-0x00000000048A6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1840-66-0x0000000000220000-0x000000000024B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1840-67-0x0000000000270000-0x00000000002A9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/1840-71-0x00000000048A2000-0x00000000048A3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1840-70-0x00000000048A1000-0x00000000048A2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1840-68-0x0000000000400000-0x0000000000452000-memory.dmp
    Filesize

    328KB

    Download
  • memory/1840-65-0x0000000002240000-0x000000000226E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1840-62-0x0000000000000000-mapping.dmp
    Download