Analysis
-
max time kernel
82s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26-01-2022 17:05
General
-
Target
03c9d092f03b568db03ae4d1f214724f2041b6281957c1404156f02a43c5ad23.exe
-
Size
702KB
-
MD5
435757d3c3e80723c18c9053dbe3bb90
-
SHA1
8f38de1a3bf7a3937b712db14f11e8a6d1a3ec00
-
SHA256
03c9d092f03b568db03ae4d1f214724f2041b6281957c1404156f02a43c5ad23
-
SHA512
88387e0182d1969f2957e8814383624052d03460d7ef7770c4835504bdc9cb77992dd3c1e620cdb9a9f0e74abeba7e8e86ccb405757e6e6f279705b4be5fa99d
Malware Config
Extracted
redline
mix26.01
185.215.113.70:21508
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\03c9d092f03b568db03ae4d1f214724f2041b6281957c1404156f02a43c5ad23.exe"C:\Users\Admin\AppData\Local\Temp\03c9d092f03b568db03ae4d1f214724f2041b6281957c1404156f02a43c5ad23.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Green\neofim.exeneofim.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a3377eab3ef751df3dfc631512bfbbca
SHA1dd82520deb584884de1c361a1d8aad6f5dd4c3be
SHA2567de1d6871b83deefd60706fc87f03b1b57be6a259107c1f4e797eb386c5db464
SHA512c7f4135b694a1692e61e579b3ed1d1675cc16ccc55d8d7969c4f2800d21c736424120f1ecbb63900a3a87ddf0ece3c434b7ccf47959d7546db49995affaa8764
-
MD5
a3377eab3ef751df3dfc631512bfbbca
SHA1dd82520deb584884de1c361a1d8aad6f5dd4c3be
SHA2567de1d6871b83deefd60706fc87f03b1b57be6a259107c1f4e797eb386c5db464
SHA512c7f4135b694a1692e61e579b3ed1d1675cc16ccc55d8d7969c4f2800d21c736424120f1ecbb63900a3a87ddf0ece3c434b7ccf47959d7546db49995affaa8764
-
Filesize
484KB
-
Filesize
824KB
-
Filesize
868KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
484KB
-
Filesize
208KB
-
Filesize
5.0MB
-
Filesize
200KB
-
Filesize
6.0MB
-
Filesize
172KB
-
Filesize
1.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
228KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
344KB
-
Filesize
408KB
-
Filesize
472KB
-
Filesize
584KB
-
Filesize
120KB
-
Filesize
1.8MB
-
Filesize
5.2MB