General
Target

исходник.exe

Filesize

2MB

Completed

27-01-2022 16:56

Task

behavioral2

Score
10/10
MD5

cb267c252a42ed8e1de90463e2ab4013

SHA1

fcfc74cfc893c4b454cfcc190a51fc9e9b6b265b

SHA256

1ec0a7cf579b43db873c885bb6fcee2e082ef92fe423372acec2cab9bd9040c0

SHA256

ece505a79a2e2b84b731ece8024e37f4da579f6af1555ad6ae2088c5fe4c5884819e64a4ca7b42fcee464912179e88a9782566cf5f2ff18f9bf63121e5045b01

Malware Config

Extracted

Family

redline

Botnet

sapphire

C2

185.230.143.237:2548

Signatures 15

Filter: none

Collection
Credential Access
Discovery
  • Echelon

    Description

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1376-121-0x0000000000910000-0x0000000000C94000-memory.dmpfamily_redline
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    Description

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    Tags

  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    Description

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    Tags

  • Executes dropped EXE
    Decoder.exe

    Reported IOCs

    pidprocess
    1376Decoder.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    8api.ipify.org
    9api.ipify.org
    10ip-api.com
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    Decoder.exe

    Reported IOCs

    pidprocess
    1376Decoder.exe
    1376Decoder.exe
    1376Decoder.exe
    1376Decoder.exe
    1376Decoder.exe
    1376Decoder.exe
    1376Decoder.exe
    1376Decoder.exe
    1376Decoder.exe
    1376Decoder.exe
    1376Decoder.exe
    1376Decoder.exe
    1376Decoder.exe
    1376Decoder.exe
    1376Decoder.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Delays execution with timeout.exe
    timeout.exe

    Tags

    Reported IOCs

    pidprocess
    2312timeout.exe
  • Suspicious behavior: EnumeratesProcesses
    исходник.exe

    Reported IOCs

    pidprocess
    2416исходник.exe
    2416исходник.exe
  • Suspicious use of AdjustPrivilegeToken
    исходник.exeDecoder.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2416исходник.exe
    Token: SeDebugPrivilege1376Decoder.exe
  • Suspicious use of SetWindowsHookEx
    Decoder.exe

    Reported IOCs

    pidprocess
    1376Decoder.exe
  • Suspicious use of WriteProcessMemory
    исходник.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2416 wrote to memory of 13762416исходник.exeDecoder.exe
    PID 2416 wrote to memory of 13762416исходник.exeDecoder.exe
    PID 2416 wrote to memory of 13762416исходник.exeDecoder.exe
    PID 2416 wrote to memory of 13722416исходник.execmd.exe
    PID 2416 wrote to memory of 13722416исходник.execmd.exe
    PID 1372 wrote to memory of 23121372cmd.exetimeout.exe
    PID 1372 wrote to memory of 23121372cmd.exetimeout.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\исходник.exe
    "C:\Users\Admin\AppData\Local\Temp\исходник.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2416
    • C:\ProgramData\Decoder.exe
      "C:\ProgramData\Decoder.exe"
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1376
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
      Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\system32\timeout.exe
        timeout 4
        Delays execution with timeout.exe
        PID:2312
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\ProgramData\Decoder.exe

                      MD5

                      50b223696961a46e3f435c226b12f899

                      SHA1

                      f7e909e182969bdb44c3ed8c2c091967c54c7957

                      SHA256

                      658c50b49af49975e3a4bc1fa44337bb72dcf86b49dee68b2fa6e6dd353309b5

                      SHA512

                      b19377b68de8d62f5bc85bc523e22b98665a163a3553ba1acafdf068957a123877118698628034c0062c1370ea012c2bbf30175f06ada2e3d5181ad6233d8c36

                    • C:\ProgramData\Decoder.exe

                      MD5

                      50b223696961a46e3f435c226b12f899

                      SHA1

                      f7e909e182969bdb44c3ed8c2c091967c54c7957

                      SHA256

                      658c50b49af49975e3a4bc1fa44337bb72dcf86b49dee68b2fa6e6dd353309b5

                      SHA512

                      b19377b68de8d62f5bc85bc523e22b98665a163a3553ba1acafdf068957a123877118698628034c0062c1370ea012c2bbf30175f06ada2e3d5181ad6233d8c36

                    • C:\Users\Admin\AppData\Local\Temp\.cmd

                      MD5

                      73712247036b6a24d16502c57a3e5679

                      SHA1

                      65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

                      SHA256

                      8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

                      SHA512

                      548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

                    • memory/1376-127-0x0000000005FC0000-0x00000000060CA000-memory.dmp

                    • memory/1376-125-0x0000000005D70000-0x0000000005DBB000-memory.dmp

                    • memory/1376-126-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

                    • memory/1376-121-0x0000000000910000-0x0000000000C94000-memory.dmp

                    • memory/1376-122-0x00000000064C0000-0x0000000006AC6000-memory.dmp

                    • memory/1376-123-0x0000000005CD0000-0x0000000005CE2000-memory.dmp

                    • memory/1376-124-0x0000000005D30000-0x0000000005D6E000-memory.dmp

                    • memory/2416-117-0x0000023C9C280000-0x0000023C9C282000-memory.dmp

                    • memory/2416-116-0x0000023C9C010000-0x0000023C9C086000-memory.dmp

                    • memory/2416-115-0x0000023C819A0000-0x0000023C81C46000-memory.dmp