Overview

overview

10

Static

static

6c251106b9...4a.exe

windows7_x64

10

6c251106b9...4a.exe

windows10_x64

10

Analysis

  • max time kernel
    110s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    28-11-2021 05:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe

  • Size

    552KB

  • MD5

    c986e3f232dd71ac91e33cbbddf25c0a

  • SHA1

    c0d65b2188e25c1e62de1d8bd5c4dc67f49ef248

  • SHA256

    6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9

  • SHA512

    e36e7e15e6e8c266e168e9570f8d08082ca8dd2d85cb6edbf5eb61ca63dacfe1db92eed9724346d3c39effa51d14dc65a23c767a4a184447032a19241482dd21

Score
10/10
redline456390robotdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

456390

C2

45.77.80.187:15300

Extracted

Family

redline

Botnet

Robot

C2

178.238.8.47:36439

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe
    "C:\Users\Admin\AppData\Local\Temp\6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4312
    • C:\Users\Admin\AppData\Local\Temp\Netflix.exe
      "C:\Users\Admin\AppData\Local\Temp\Netflix.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4408
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        #cmd
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:648
    • C:\Users\Admin\AppData\Local\Temp\Robot_20.exe
      "C:\Users\Admin\AppData\Local\Temp\Robot_20.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Netflix.exe
    MD5

    286b2514208110bab3196a61039fa4dd

    SHA1

    9d6bb9c38fd9b923a23f83c1e7dc0d8dca3552a7

    SHA256

    9c49f49218eaaae954e25937c328e7404dd1d61ca13b44b00eb2500034492bfe

    SHA512

    92382bde2186e392dac8340d2fb89a3b8ae7832a783eda344f16970b743f005dbc6626ba59ffc4b875ab8f74bb89f89144a0380b0b44ed7f996e147371958288

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Netflix.exe
    MD5

    286b2514208110bab3196a61039fa4dd

    SHA1

    9d6bb9c38fd9b923a23f83c1e7dc0d8dca3552a7

    SHA256

    9c49f49218eaaae954e25937c328e7404dd1d61ca13b44b00eb2500034492bfe

    SHA512

    92382bde2186e392dac8340d2fb89a3b8ae7832a783eda344f16970b743f005dbc6626ba59ffc4b875ab8f74bb89f89144a0380b0b44ed7f996e147371958288

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Robot_20.exe
    MD5

    9854e0dcb0cf68a1996acd5b801f1e4b

    SHA1

    883e60ef57ac00c3da29f3e186c2df7bd6acc7b3

    SHA256

    a5ba452a894d5cb2270dfe4ba6cae0df50f2b590bec3df5ac409678c2c6fb938

    SHA512

    a63a74d11cfd9e675b5437365acf11d02f958c71acdfa1bf3b5bf3936806d97c3784e121010c587c87d9b71ed2ff497fe7be314113996f025048e68fcac1bd33

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Robot_20.exe
    MD5

    9854e0dcb0cf68a1996acd5b801f1e4b

    SHA1

    883e60ef57ac00c3da29f3e186c2df7bd6acc7b3

    SHA256

    a5ba452a894d5cb2270dfe4ba6cae0df50f2b590bec3df5ac409678c2c6fb938

    SHA512

    a63a74d11cfd9e675b5437365acf11d02f958c71acdfa1bf3b5bf3936806d97c3784e121010c587c87d9b71ed2ff497fe7be314113996f025048e68fcac1bd33

    Download Submit
  • memory/648-152-0x0000000004990000-0x0000000004991000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-135-0x000000000041A2AE-mapping.dmp
    Download
  • memory/648-146-0x0000000004A60000-0x0000000004A61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-140-0x0000000004E90000-0x0000000004E91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-151-0x0000000004880000-0x0000000004E86000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/648-137-0x00000000001D0000-0x00000000001F8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/648-145-0x0000000004930000-0x0000000004931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-161-0x00000000054E0000-0x00000000054E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-158-0x0000000004DE0000-0x0000000004DE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-154-0x00000000049D0000-0x00000000049D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4312-118-0x00000000009D0000-0x00000000009D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4408-130-0x000000001B4E0000-0x000000001B4E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4408-129-0x000000001DBE0000-0x000000001DBE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4408-128-0x0000000002A50000-0x0000000002A52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4408-120-0x0000000000000000-mapping.dmp
    Download
  • memory/4408-123-0x0000000000AD0000-0x0000000000AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4536-141-0x00000000024D2000-0x00000000024D3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4536-136-0x00000000024D0000-0x00000000024D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4536-144-0x00000000025A0000-0x00000000025CC000-memory.dmp
    Filesize

    176KB

    Download
  • memory/4536-142-0x00000000024D3000-0x00000000024D4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4536-125-0x0000000000000000-mapping.dmp
    Download
  • memory/4536-139-0x0000000002480000-0x00000000024AE000-memory.dmp
    Filesize

    184KB

    Download
  • memory/4536-150-0x00000000024D4000-0x00000000024D6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4536-143-0x0000000004B30000-0x0000000004B31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4536-133-0x0000000000400000-0x0000000000452000-memory.dmp
    Filesize

    328KB

    Download
  • memory/4536-156-0x0000000007430000-0x0000000007431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4536-131-0x00000000005A0000-0x00000000006EA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/4536-132-0x00000000021C0000-0x00000000021F9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/4536-163-0x0000000007720000-0x0000000007721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4536-165-0x0000000007E10000-0x0000000007E11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4536-166-0x0000000007E90000-0x0000000007E91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4536-167-0x0000000008070000-0x0000000008071000-memory.dmp
    Filesize

    4KB

    Download