Overview

overview

10

Static

static

исходник.exe

windows7_x64

6

исходник.exe

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    27-01-2022 16:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    исходник.exe

  • Size

    2.6MB

  • MD5

    cb267c252a42ed8e1de90463e2ab4013

  • SHA1

    fcfc74cfc893c4b454cfcc190a51fc9e9b6b265b

  • SHA256

    1ec0a7cf579b43db873c885bb6fcee2e082ef92fe423372acec2cab9bd9040c0

  • SHA512

    ece505a79a2e2b84b731ece8024e37f4da579f6af1555ad6ae2088c5fe4c5884819e64a4ca7b42fcee464912179e88a9782566cf5f2ff18f9bf63121e5045b01

Score
10/10
echelonredlinesapphireinfostealerspywarestealersuricata

Malware Config

Extracted

Family

redline

Botnet

sapphire

C2

185.230.143.237:2548

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\исходник.exe
    "C:\Users\Admin\AppData\Local\Temp\исходник.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\ProgramData\Decoder.exe
      "C:\ProgramData\Decoder.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1376
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\system32\timeout.exe
        timeout 4
        3⤵
        • Delays execution with timeout.exe
        PID:2312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Decoder.exe
    MD5

    50b223696961a46e3f435c226b12f899

    SHA1

    f7e909e182969bdb44c3ed8c2c091967c54c7957

    SHA256

    658c50b49af49975e3a4bc1fa44337bb72dcf86b49dee68b2fa6e6dd353309b5

    SHA512

    b19377b68de8d62f5bc85bc523e22b98665a163a3553ba1acafdf068957a123877118698628034c0062c1370ea012c2bbf30175f06ada2e3d5181ad6233d8c36

    Download Submit
  • C:\ProgramData\Decoder.exe
    MD5

    50b223696961a46e3f435c226b12f899

    SHA1

    f7e909e182969bdb44c3ed8c2c091967c54c7957

    SHA256

    658c50b49af49975e3a4bc1fa44337bb72dcf86b49dee68b2fa6e6dd353309b5

    SHA512

    b19377b68de8d62f5bc85bc523e22b98665a163a3553ba1acafdf068957a123877118698628034c0062c1370ea012c2bbf30175f06ada2e3d5181ad6233d8c36

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\.cmd
    MD5

    73712247036b6a24d16502c57a3e5679

    SHA1

    65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

    SHA256

    8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

    SHA512

    548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

    Download Submit
  • memory/1376-121-0x0000000000910000-0x0000000000C94000-memory.dmp
    Filesize

    3.5MB

    Download
  • memory/1376-122-0x00000000064C0000-0x0000000006AC6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1376-123-0x0000000005CD0000-0x0000000005CE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1376-124-0x0000000005D30000-0x0000000005D6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1376-125-0x0000000005D70000-0x0000000005DBB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1376-126-0x0000000005EA0000-0x0000000005EA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1376-127-0x0000000005FC0000-0x00000000060CA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2416-117-0x0000023C9C280000-0x0000023C9C282000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2416-116-0x0000023C9C010000-0x0000023C9C086000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2416-115-0x0000023C819A0000-0x0000023C81C46000-memory.dmp
    Filesize

    2.6MB

    Download