Analysis
-
max time kernel
121s -
max time network
160s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 16:01
Static task
static1
Behavioral task
behavioral1
Sample
b95cb76cec0b0c88a409403518559fb3.exe
Resource
win7-en-20211208
General
-
Target
b95cb76cec0b0c88a409403518559fb3.exe
-
Size
153KB
-
MD5
b95cb76cec0b0c88a409403518559fb3
-
SHA1
7692607a52ada1a447913d1990628c13e22f4b04
-
SHA256
ba2c8fcdef3c1675e57b94c9a7b04088a68d98110cf1ddf509eae437f731b138
-
SHA512
33fa4970b8d272209a39c1afe23f601f4dd146596cb28e2f830df8328ba2d4455ae801817062405148e6b5faae4773828e674740cc65bf46f37a7c5a99d4bc79
Malware Config
Extracted
asyncrat
1.0.7
Default
null:null
DcRatMutex
-
anti_vm
false
-
bsod
true
-
delay
1
-
install
true
-
install_file
RuntimeBroker.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/SctPUR4x
Extracted
redline
cheat
rat3000.ddns.net:56698
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4360-138-0x000001A76A8D0000-0x000001A76A8EE000-memory.dmp family_redline -
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3436-121-0x0000025A9DD00000-0x0000025A9DD16000-memory.dmp asyncrat behavioral2/memory/4360-131-0x000001A768D00000-0x000001A768D16000-memory.dmp asyncrat behavioral2/memory/4360-136-0x000001A76A8C0000-0x000001A76A8CE000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
RuntimeBroker.exepid process 4360 RuntimeBroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4464 timeout.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
b95cb76cec0b0c88a409403518559fb3.exeRuntimeBroker.exepid process 3436 b95cb76cec0b0c88a409403518559fb3.exe 3436 b95cb76cec0b0c88a409403518559fb3.exe 3436 b95cb76cec0b0c88a409403518559fb3.exe 3436 b95cb76cec0b0c88a409403518559fb3.exe 3436 b95cb76cec0b0c88a409403518559fb3.exe 3436 b95cb76cec0b0c88a409403518559fb3.exe 3436 b95cb76cec0b0c88a409403518559fb3.exe 3436 b95cb76cec0b0c88a409403518559fb3.exe 3436 b95cb76cec0b0c88a409403518559fb3.exe 3436 b95cb76cec0b0c88a409403518559fb3.exe 3436 b95cb76cec0b0c88a409403518559fb3.exe 3436 b95cb76cec0b0c88a409403518559fb3.exe 3436 b95cb76cec0b0c88a409403518559fb3.exe 4360 RuntimeBroker.exe 4360 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
b95cb76cec0b0c88a409403518559fb3.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 3436 b95cb76cec0b0c88a409403518559fb3.exe Token: SeDebugPrivilege 3436 b95cb76cec0b0c88a409403518559fb3.exe Token: SeDebugPrivilege 4360 RuntimeBroker.exe Token: SeDebugPrivilege 4360 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
b95cb76cec0b0c88a409403518559fb3.execmd.execmd.exedescription pid process target process PID 3436 wrote to memory of 4292 3436 b95cb76cec0b0c88a409403518559fb3.exe cmd.exe PID 3436 wrote to memory of 4292 3436 b95cb76cec0b0c88a409403518559fb3.exe cmd.exe PID 3436 wrote to memory of 4404 3436 b95cb76cec0b0c88a409403518559fb3.exe cmd.exe PID 3436 wrote to memory of 4404 3436 b95cb76cec0b0c88a409403518559fb3.exe cmd.exe PID 4292 wrote to memory of 788 4292 cmd.exe schtasks.exe PID 4292 wrote to memory of 788 4292 cmd.exe schtasks.exe PID 4404 wrote to memory of 4464 4404 cmd.exe timeout.exe PID 4404 wrote to memory of 4464 4404 cmd.exe timeout.exe PID 4404 wrote to memory of 4360 4404 cmd.exe RuntimeBroker.exe PID 4404 wrote to memory of 4360 4404 cmd.exe RuntimeBroker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b95cb76cec0b0c88a409403518559fb3.exe"C:\Users\Admin\AppData\Local\Temp\b95cb76cec0b0c88a409403518559fb3.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7BC.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7BC.tmp.batMD5
54177b88599c5fa637ad040507710daa
SHA13ead2caa208d63c0e2b924cd011e97c1367a684b
SHA2568f98cf8308c638b1e04d6287ec5cf3d78a9bb6d07c62e72b8df45e4c19941473
SHA5128f371abd861ac9c33932684b5c2f06fecda8610ae4f457041e8989a448a91ae1d04c9620c58fdb3b0e76f246a280cf3c7220033d4e52738cabb19963b387df68
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
b95cb76cec0b0c88a409403518559fb3
SHA17692607a52ada1a447913d1990628c13e22f4b04
SHA256ba2c8fcdef3c1675e57b94c9a7b04088a68d98110cf1ddf509eae437f731b138
SHA51233fa4970b8d272209a39c1afe23f601f4dd146596cb28e2f830df8328ba2d4455ae801817062405148e6b5faae4773828e674740cc65bf46f37a7c5a99d4bc79
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
b95cb76cec0b0c88a409403518559fb3
SHA17692607a52ada1a447913d1990628c13e22f4b04
SHA256ba2c8fcdef3c1675e57b94c9a7b04088a68d98110cf1ddf509eae437f731b138
SHA51233fa4970b8d272209a39c1afe23f601f4dd146596cb28e2f830df8328ba2d4455ae801817062405148e6b5faae4773828e674740cc65bf46f37a7c5a99d4bc79
-
memory/3436-121-0x0000025A9DD00000-0x0000025A9DD16000-memory.dmpFilesize
88KB
-
memory/3436-119-0x0000025A9DE24000-0x0000025A9DE25000-memory.dmpFilesize
4KB
-
memory/3436-120-0x0000025A9DCC0000-0x0000025A9DCDA000-memory.dmpFilesize
104KB
-
memory/3436-115-0x0000025A9C020000-0x0000025A9C04C000-memory.dmpFilesize
176KB
-
memory/3436-122-0x0000025A9DE25000-0x0000025A9DE27000-memory.dmpFilesize
8KB
-
memory/3436-123-0x0000025A9DE27000-0x0000025A9DE29000-memory.dmpFilesize
8KB
-
memory/3436-124-0x0000025A9DE29000-0x0000025A9DE2A000-memory.dmpFilesize
4KB
-
memory/3436-125-0x0000025A9DE2A000-0x0000025A9DE2F000-memory.dmpFilesize
20KB
-
memory/3436-118-0x0000025A9DE22000-0x0000025A9DE24000-memory.dmpFilesize
8KB
-
memory/3436-117-0x0000025A9C340000-0x0000025A9C348000-memory.dmpFilesize
32KB
-
memory/3436-116-0x0000025A9DE20000-0x0000025A9DE22000-memory.dmpFilesize
8KB
-
memory/4360-129-0x000001A76B602000-0x000001A76B603000-memory.dmpFilesize
4KB
-
memory/4360-130-0x000001A76B613000-0x000001A76B614000-memory.dmpFilesize
4KB
-
memory/4360-131-0x000001A768D00000-0x000001A768D16000-memory.dmpFilesize
88KB
-
memory/4360-133-0x000001A76B606000-0x000001A76B607000-memory.dmpFilesize
4KB
-
memory/4360-132-0x000001A76B603000-0x000001A76B604000-memory.dmpFilesize
4KB
-
memory/4360-134-0x000001A76B608000-0x000001A76B609000-memory.dmpFilesize
4KB
-
memory/4360-135-0x000001A76B080000-0x000001A76B0F6000-memory.dmpFilesize
472KB
-
memory/4360-136-0x000001A76A8C0000-0x000001A76A8CE000-memory.dmpFilesize
56KB
-
memory/4360-137-0x000001A76A8F0000-0x000001A76A90E000-memory.dmpFilesize
120KB
-
memory/4360-138-0x000001A76A8D0000-0x000001A76A8EE000-memory.dmpFilesize
120KB
-
memory/4360-139-0x000001A76AA60000-0x000001A76AA72000-memory.dmpFilesize
72KB
-
memory/4360-140-0x000001A76BA30000-0x000001A76BA6E000-memory.dmpFilesize
248KB
-
memory/4360-141-0x000001A76D720000-0x000001A76D82A000-memory.dmpFilesize
1.0MB
-
memory/4360-142-0x000001A76DFA0000-0x000001A76E162000-memory.dmpFilesize
1.8MB
-
memory/4360-143-0x000001A76EF20000-0x000001A76F446000-memory.dmpFilesize
5.1MB
-
memory/4360-144-0x000001A76B609000-0x000001A76B60A000-memory.dmpFilesize
4KB
-
memory/4360-145-0x000001A76B614000-0x000001A76B615000-memory.dmpFilesize
4KB