Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    27-01-2022 16:53

General

  • Target

    исходник.exe

  • Size

    2MB

  • MD5

    cb267c252a42ed8e1de90463e2ab4013

  • SHA1

    fcfc74cfc893c4b454cfcc190a51fc9e9b6b265b

  • SHA256

    1ec0a7cf579b43db873c885bb6fcee2e082ef92fe423372acec2cab9bd9040c0

  • SHA512

    ece505a79a2e2b84b731ece8024e37f4da579f6af1555ad6ae2088c5fe4c5884819e64a4ca7b42fcee464912179e88a9782566cf5f2ff18f9bf63121e5045b01

Malware Config

Extracted

Family

redline

Botnet

sapphire

C2

185.230.143.237:2548

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload ⋅ 1 IoCs
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

  • Executes dropped EXE ⋅ 1 IoCs
  • Reads user/profile data of web browsers ⋅ 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service ⋅ 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger ⋅ 15 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe ⋅ 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 2 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\исходник.exe
    "C:\Users\Admin\AppData\Local\Temp\исходник.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2416
    • C:\ProgramData\Decoder.exe
      "C:\ProgramData\Decoder.exe"
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1376
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
      Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\system32\timeout.exe
        timeout 4
        Delays execution with timeout.exe
        PID:2312

Network

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

      Execution

        Exfiltration

          Impact

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\ProgramData\Decoder.exe
                      MD5

                      50b223696961a46e3f435c226b12f899

                      SHA1

                      f7e909e182969bdb44c3ed8c2c091967c54c7957

                      SHA256

                      658c50b49af49975e3a4bc1fa44337bb72dcf86b49dee68b2fa6e6dd353309b5

                      SHA512

                      b19377b68de8d62f5bc85bc523e22b98665a163a3553ba1acafdf068957a123877118698628034c0062c1370ea012c2bbf30175f06ada2e3d5181ad6233d8c36

                    • C:\ProgramData\Decoder.exe
                      MD5

                      50b223696961a46e3f435c226b12f899

                      SHA1

                      f7e909e182969bdb44c3ed8c2c091967c54c7957

                      SHA256

                      658c50b49af49975e3a4bc1fa44337bb72dcf86b49dee68b2fa6e6dd353309b5

                      SHA512

                      b19377b68de8d62f5bc85bc523e22b98665a163a3553ba1acafdf068957a123877118698628034c0062c1370ea012c2bbf30175f06ada2e3d5181ad6233d8c36

                    • C:\Users\Admin\AppData\Local\Temp\.cmd
                      MD5

                      73712247036b6a24d16502c57a3e5679

                      SHA1

                      65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

                      SHA256

                      8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

                      SHA512

                      548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

                    • memory/1376-121-0x0000000000910000-0x0000000000C94000-memory.dmp
                    • memory/1376-122-0x00000000064C0000-0x0000000006AC6000-memory.dmp
                    • memory/1376-123-0x0000000005CD0000-0x0000000005CE2000-memory.dmp
                    • memory/1376-124-0x0000000005D30000-0x0000000005D6E000-memory.dmp
                    • memory/1376-125-0x0000000005D70000-0x0000000005DBB000-memory.dmp
                    • memory/1376-126-0x0000000005EA0000-0x0000000005EA1000-memory.dmp
                    • memory/1376-127-0x0000000005FC0000-0x00000000060CA000-memory.dmp
                    • memory/2416-117-0x0000023C9C280000-0x0000023C9C282000-memory.dmp
                    • memory/2416-116-0x0000023C9C010000-0x0000023C9C086000-memory.dmp
                    • memory/2416-115-0x0000023C819A0000-0x0000023C81C46000-memory.dmp