Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
28-11-2021 05:06
Static task
static1
Behavioral task
behavioral1
Sample
6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe
Resource
win7-en-20211104
General
-
Target
6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe
-
Size
552KB
-
MD5
c986e3f232dd71ac91e33cbbddf25c0a
-
SHA1
c0d65b2188e25c1e62de1d8bd5c4dc67f49ef248
-
SHA256
6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9
-
SHA512
e36e7e15e6e8c266e168e9570f8d08082ca8dd2d85cb6edbf5eb61ca63dacfe1db92eed9724346d3c39effa51d14dc65a23c767a4a184447032a19241482dd21
Malware Config
Extracted
redline
Robot
178.238.8.47:36439
Extracted
redline
456390
45.77.80.187:15300
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1840-65-0x0000000002240000-0x000000000226E000-memory.dmp family_redline behavioral1/memory/1840-72-0x0000000004700000-0x000000000472C000-memory.dmp family_redline behavioral1/memory/1244-77-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1244-78-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1244-79-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1244-80-0x000000000041A2AE-mapping.dmp family_redline behavioral1/memory/1244-82-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
Processes:
Netflix.exeRobot_20.exepid process 1432 Netflix.exe 1840 Robot_20.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Netflix.exedescription pid process target process PID 1432 set thread context of 1244 1432 Netflix.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Robot_20.exeRegAsm.exepid process 1840 Robot_20.exe 1244 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Robot_20.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1840 Robot_20.exe Token: SeDebugPrivilege 1244 RegAsm.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exeNetflix.exedescription pid process target process PID 524 wrote to memory of 1432 524 6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe Netflix.exe PID 524 wrote to memory of 1432 524 6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe Netflix.exe PID 524 wrote to memory of 1432 524 6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe Netflix.exe PID 524 wrote to memory of 1840 524 6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe Robot_20.exe PID 524 wrote to memory of 1840 524 6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe Robot_20.exe PID 524 wrote to memory of 1840 524 6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe Robot_20.exe PID 524 wrote to memory of 1840 524 6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe Robot_20.exe PID 1432 wrote to memory of 1244 1432 Netflix.exe RegAsm.exe PID 1432 wrote to memory of 1244 1432 Netflix.exe RegAsm.exe PID 1432 wrote to memory of 1244 1432 Netflix.exe RegAsm.exe PID 1432 wrote to memory of 1244 1432 Netflix.exe RegAsm.exe PID 1432 wrote to memory of 1244 1432 Netflix.exe RegAsm.exe PID 1432 wrote to memory of 1244 1432 Netflix.exe RegAsm.exe PID 1432 wrote to memory of 1244 1432 Netflix.exe RegAsm.exe PID 1432 wrote to memory of 1244 1432 Netflix.exe RegAsm.exe PID 1432 wrote to memory of 1244 1432 Netflix.exe RegAsm.exe PID 1432 wrote to memory of 1244 1432 Netflix.exe RegAsm.exe PID 1432 wrote to memory of 1244 1432 Netflix.exe RegAsm.exe PID 1432 wrote to memory of 1244 1432 Netflix.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe"C:\Users\Admin\AppData\Local\Temp\6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Netflix.exe"C:\Users\Admin\AppData\Local\Temp\Netflix.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Robot_20.exe"C:\Users\Admin\AppData\Local\Temp\Robot_20.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Netflix.exeMD5
286b2514208110bab3196a61039fa4dd
SHA19d6bb9c38fd9b923a23f83c1e7dc0d8dca3552a7
SHA2569c49f49218eaaae954e25937c328e7404dd1d61ca13b44b00eb2500034492bfe
SHA51292382bde2186e392dac8340d2fb89a3b8ae7832a783eda344f16970b743f005dbc6626ba59ffc4b875ab8f74bb89f89144a0380b0b44ed7f996e147371958288
-
C:\Users\Admin\AppData\Local\Temp\Netflix.exeMD5
286b2514208110bab3196a61039fa4dd
SHA19d6bb9c38fd9b923a23f83c1e7dc0d8dca3552a7
SHA2569c49f49218eaaae954e25937c328e7404dd1d61ca13b44b00eb2500034492bfe
SHA51292382bde2186e392dac8340d2fb89a3b8ae7832a783eda344f16970b743f005dbc6626ba59ffc4b875ab8f74bb89f89144a0380b0b44ed7f996e147371958288
-
C:\Users\Admin\AppData\Local\Temp\Robot_20.exeMD5
9854e0dcb0cf68a1996acd5b801f1e4b
SHA1883e60ef57ac00c3da29f3e186c2df7bd6acc7b3
SHA256a5ba452a894d5cb2270dfe4ba6cae0df50f2b590bec3df5ac409678c2c6fb938
SHA512a63a74d11cfd9e675b5437365acf11d02f958c71acdfa1bf3b5bf3936806d97c3784e121010c587c87d9b71ed2ff497fe7be314113996f025048e68fcac1bd33
-
memory/524-55-0x00000000012F0000-0x00000000012F1000-memory.dmpFilesize
4KB
-
memory/524-57-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmpFilesize
8KB
-
memory/1244-84-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/1244-82-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1244-75-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1244-81-0x0000000075851000-0x0000000075853000-memory.dmpFilesize
8KB
-
memory/1244-80-0x000000000041A2AE-mapping.dmp
-
memory/1244-79-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1244-78-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1244-77-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1244-76-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1432-61-0x0000000001290000-0x0000000001291000-memory.dmpFilesize
4KB
-
memory/1432-69-0x000000001B210000-0x000000001B212000-memory.dmpFilesize
8KB
-
memory/1432-58-0x0000000000000000-mapping.dmp
-
memory/1840-72-0x0000000004700000-0x000000000472C000-memory.dmpFilesize
176KB
-
memory/1840-73-0x00000000048A3000-0x00000000048A4000-memory.dmpFilesize
4KB
-
memory/1840-74-0x00000000048A4000-0x00000000048A6000-memory.dmpFilesize
8KB
-
memory/1840-66-0x0000000000220000-0x000000000024B000-memory.dmpFilesize
172KB
-
memory/1840-67-0x0000000000270000-0x00000000002A9000-memory.dmpFilesize
228KB
-
memory/1840-71-0x00000000048A2000-0x00000000048A3000-memory.dmpFilesize
4KB
-
memory/1840-70-0x00000000048A1000-0x00000000048A2000-memory.dmpFilesize
4KB
-
memory/1840-68-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1840-65-0x0000000002240000-0x000000000226E000-memory.dmpFilesize
184KB
-
memory/1840-62-0x0000000000000000-mapping.dmp