Overview

overview

10

Static

static

EasyCheat.exe

windows7_x64

10

EasyCheat.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    26-01-2022 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EasyCheat.exe

  • Size

    74KB

  • MD5

    76cd2291f9307d31ca70cc155bfef971

  • SHA1

    e36c68f7bc50150dfb1f3ed54c6a3503f680852a

  • SHA256

    f576580f69157f1e64941256a721f74d38ae8b562281d631f9b864538871ef3d

  • SHA512

    da6c892b97f6d402be227c6ad6ad772824d5e6dfe3d8088ce51d22f26bd1d652472e743aac0fb3a83f96f4d686b3b6c13b074e0c592f43a68a4881da5544919e

Score
10/10
redlinepaneldiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

Panel

C2

185.128.107.102:6886

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EasyCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\EasyCheat.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C timeout 20
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Windows\SysWOW64\timeout.exe
        timeout 20
        3⤵
        • Delays execution with timeout.exe
        PID:1240
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:828

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/828-63-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/828-60-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/828-61-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/828-62-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/828-64-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/828-66-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/828-67-0x0000000004D60000-0x0000000004D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1796-55-0x0000000076C61000-0x0000000076C63000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1796-56-0x0000000004B70000-0x0000000004B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1796-57-0x0000000000D20000-0x0000000000D6E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1796-58-0x0000000001020000-0x0000000001056000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1796-59-0x00000000010C0000-0x000000000110C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1796-54-0x0000000001120000-0x0000000001136000-memory.dmp

    Filesize

    88KB

    Download