Analysis
-
max time kernel
120s -
max time network
131s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
05-12-2021 16:32
Static task
static1
Behavioral task
behavioral1
Sample
GloryHack.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
GloryHack.exe
Resource
win10-en-20211014
General
-
Target
GloryHack.exe
-
Size
857KB
-
MD5
f5ca907b9390037f5ee5106abdc71927
-
SHA1
91471f2d090e8858d2945faeffa17af57b8b2eaa
-
SHA256
565b1484478b1644bd1e8954e079f653b8f71c9f16997d4b7fc53f83da609e35
-
SHA512
27d3ad7f40c8ee6983e09e23b858feedcf7cc6170e549f3394f05789ba6c00e547e43d68d3994c47410fde995417771086a7fcf48ee581d41e50970e62858a9f
Malware Config
Extracted
redline
185.215.113.57:50723
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3688-120-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/3688-121-0x000000000041B78E-mapping.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
GloryHack.exedescription pid process target process PID 2636 set thread context of 3688 2636 GloryHack.exe RegAsm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegAsm.exepid process 3688 RegAsm.exe 3688 RegAsm.exe 3688 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3688 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
GloryHack.exedescription pid process target process PID 2636 wrote to memory of 3688 2636 GloryHack.exe RegAsm.exe PID 2636 wrote to memory of 3688 2636 GloryHack.exe RegAsm.exe PID 2636 wrote to memory of 3688 2636 GloryHack.exe RegAsm.exe PID 2636 wrote to memory of 3688 2636 GloryHack.exe RegAsm.exe PID 2636 wrote to memory of 3688 2636 GloryHack.exe RegAsm.exe PID 2636 wrote to memory of 3688 2636 GloryHack.exe RegAsm.exe PID 2636 wrote to memory of 3688 2636 GloryHack.exe RegAsm.exe PID 2636 wrote to memory of 3688 2636 GloryHack.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GloryHack.exe"C:\Users\Admin\AppData\Local\Temp\GloryHack.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2636-115-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/2636-117-0x000000001B5F0000-0x000000001B5F2000-memory.dmpFilesize
8KB
-
memory/2636-118-0x000000001B700000-0x000000001B701000-memory.dmpFilesize
4KB
-
memory/2636-119-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/3688-120-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3688-121-0x000000000041B78E-mapping.dmp
-
memory/3688-124-0x0000000005D50000-0x0000000005D51000-memory.dmpFilesize
4KB
-
memory/3688-125-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/3688-126-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/3688-127-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/3688-128-0x0000000005740000-0x0000000005D46000-memory.dmpFilesize
6.0MB
-
memory/3688-129-0x0000000005810000-0x0000000005811000-memory.dmpFilesize
4KB
-
memory/3688-130-0x0000000005B80000-0x0000000005B81000-memory.dmpFilesize
4KB
-
memory/3688-131-0x0000000005CA0000-0x0000000005CA1000-memory.dmpFilesize
4KB
-
memory/3688-132-0x0000000006860000-0x0000000006861000-memory.dmpFilesize
4KB
-
memory/3688-133-0x0000000005C60000-0x0000000005C61000-memory.dmpFilesize
4KB
-
memory/3688-134-0x00000000066E0000-0x00000000066E1000-memory.dmpFilesize
4KB
-
memory/3688-135-0x00000000071F0000-0x00000000071F1000-memory.dmpFilesize
4KB
-
memory/3688-136-0x00000000078F0000-0x00000000078F1000-memory.dmpFilesize
4KB
-
memory/3688-137-0x0000000007190000-0x0000000007191000-memory.dmpFilesize
4KB