Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
19-02-2022 11:46
General
-
Target
463f4d8ebcbe894ce30c7d08f6e469d934399b7be6d208ccdddf319dfc57e6fe.exe
-
Size
4.5MB
-
MD5
22b96b68b4372ff2ce604723e9436963
-
SHA1
066ff406521cc2f0aed70414ee8d4d7751d0fe2a
-
SHA256
463f4d8ebcbe894ce30c7d08f6e469d934399b7be6d208ccdddf319dfc57e6fe
-
SHA512
0ecde5a89dd548cf16867c9a6c66c5b12f2b2e51920c1ab7cc1ff241f69a03116fe011aed2172c00cfe708c77856d5fe19d59b01a3880e3dfe38509a682d8a38
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
@Zexan
C2
92.255.85.137:41320
Attributes
-
auth_value
da8092c88adbe82a93341dec420f0fa7
Extracted
Family
allcome
C2
http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/Clipper/configure.php?cf6zrlhn=Rachel
Wallets
DCbpjBAroXBj3jrvq8HRPAKd8wYPnBwwi7
rKewCaU4Q6gqJnb5nJqkDY69QoxHKXAJZi
Xiem2Rw5LULbzv6rM49FqKAKD1nHSxpjxb
TZ3Pn82NBECik8ujtc3Wu5AVsQLCdt7cG1
t1Pxn7QZPAVhrsd2cdPHDEjDR1jtwpoUvbT
GDKPOPZWADWVDB2B743X7Q5QIMXIFJTIJ3K3JTR5P2EKO22GJQRAZRKC
497qdSyfY8t9dYnAGTnk8UigUbUPL4MXTFAxobWPDZ5rReSiVNL22GEGt9ptgNbDbTe3qyj3oRq2LfEYbws8yGqnSjBWHR6
qra53qtr5kvaye7gvf5algrre5h0w6harqxluum6kp
bc1q79xgc502sqzt4qz0jhr7lr7qdxkf2z006gym0l
0X9BD5F03363CA0231A32B3B36AE2CF01623E2D1FE
LcPqsR8yyzukNBgoKrq3pKEXV4rpuMeF91
ronin:09864801afc2b70c960366f4c8ad806fe9d6965d
ltc1qsdn52gjku7sts4r64fyqelqkfm789gvagglnaj
bc1q79xgc502sqzt4qz0jhr7lr7qdxkf2z006gym0l
Signatures
-
Allcome
A clipbanker that supports stealing different cryptocurrency wallets and payment forms.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 21 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 19 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 38 IoCs
-
Suspicious use of SetThreadContext 39 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\463f4d8ebcbe894ce30c7d08f6e469d934399b7be6d208ccdddf319dfc57e6fe.exe"C:\Users\Admin\AppData\Local\Temp\463f4d8ebcbe894ce30c7d08f6e469d934399b7be6d208ccdddf319dfc57e6fe.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\soska.exe"C:\Users\Admin\AppData\Local\Temp\soska.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"6⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina8⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"8⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"10⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"11⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"12⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"13⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina14⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"14⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"15⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina16⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"16⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"17⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina18⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"18⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"19⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina20⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"20⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"21⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina22⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"22⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"23⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina24⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"24⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"25⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina26⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"26⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"27⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina28⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"28⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"29⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina30⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"30⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"31⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina32⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"32⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"33⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina34⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"34⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"35⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina36⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"36⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"37⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina38⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"38⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"39⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x8C40cd0F96391e6afc8F91744843EFc210e6B95d -coin etc -worker platina40⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "platina" "etc"40⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bayden.exe"C:\Users\Admin\AppData\Local\Temp\bayden.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /tn NvTmRep_CrashReport3_{B2FE1952-0186} /sc MINUTE /tr C:\Users\Admin\AppData\Local\CrashDumps\subst.exe4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Local\CrashDumps\subst.exeC:\Users\Admin\AppData\Local\CrashDumps\subst.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17.2MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
168KB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
168KB
-
Filesize
17.2MB
-
Filesize
2.5MB
-
Filesize
8.1MB
-
Filesize
7.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
100KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
8.1MB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
17.2MB
-
Filesize
8.1MB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
17.2MB
-
Filesize
168KB
-
Filesize
17.2MB
-
Filesize
8.1MB
-
Filesize
168KB
-
Filesize
8.1MB
-
Filesize
168KB
-
Filesize
248KB
-
Filesize
6.0MB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
128KB
-
Filesize
120KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
300KB
-
Filesize
1.0MB
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
8.1MB
-
Filesize
17.2MB
-
Filesize
17.2MB