Overview

overview

10

Static

static

XFT-21062-22.exe

windows7_x64

10

XFT-21062-22.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294183s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    14-03-2022 10:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XFT-21062-22.exe

  • Size

    829KB

  • MD5

    d733380b2e13ba9a8c2fb23a770a56e7

  • SHA1

    53145071b9a816bd76372351bb0b9aeffd25d864

  • SHA256

    23af733a95426c2ba12f205acbdc6516ab4a12579b5de3a66d45a688a37e1d95

  • SHA512

    027f3cff826eafbca9a0f5aad4f44b4ba94aa55886279c504fc03fcd78f97ba7a93832f719a5b2ebcbb2f0d6c03804adf72697b6c29ca20a0b14115def6945c4

Score
10/10
redlinebillydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

billy

C2

45.133.174.87:15028

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
    "C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe"
    1⤵
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:268
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:300
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1604
    • C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
      "C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

3
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    696f80d5a39aa2aa5bae6281d977ce0e

    SHA1

    6ed2780ff3b3b94c9823959581649dfe09d66a6a

    SHA256

    34313d60308c3c7f3160cfb4d8e9ed8207222e7c5946a6c6e0c5d2211f5622c7

    SHA512

    9266636fae24e81035bfedef930fd1d584c2ec1b1f3bb2d41dde441b9e125a64e7ade7276f15dff9a232aee69fb793e8f3f7f9e06fa9056afb814589de589ad5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    696f80d5a39aa2aa5bae6281d977ce0e

    SHA1

    6ed2780ff3b3b94c9823959581649dfe09d66a6a

    SHA256

    34313d60308c3c7f3160cfb4d8e9ed8207222e7c5946a6c6e0c5d2211f5622c7

    SHA512

    9266636fae24e81035bfedef930fd1d584c2ec1b1f3bb2d41dde441b9e125a64e7ade7276f15dff9a232aee69fb793e8f3f7f9e06fa9056afb814589de589ad5

    Download Submit
  • memory/268-89-0x0000000002441000-0x0000000002442000-memory.dmp
    Filesize

    4KB

    Download
  • memory/268-91-0x0000000002442000-0x0000000002444000-memory.dmp
    Filesize

    8KB

    Download
  • memory/268-80-0x0000000002440000-0x0000000002441000-memory.dmp
    Filesize

    4KB

    Download
  • memory/268-60-0x00000000767A1000-0x00000000767A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/268-65-0x000000006F7F0000-0x000000006FD9B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/268-86-0x000000006F7F0000-0x000000006FD9B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/300-73-0x000000006F7F0000-0x000000006FD9B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/300-88-0x00000000023B0000-0x0000000002FFA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/300-90-0x00000000023B0000-0x0000000002FFA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/300-79-0x00000000023B0000-0x0000000002FFA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1604-76-0x0000000002370000-0x0000000002FBA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1604-71-0x000000006F7F0000-0x000000006FD9B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1604-69-0x0000000002370000-0x0000000002FBA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1604-92-0x0000000002370000-0x0000000002FBA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1980-54-0x00000000010A0000-0x0000000001176000-memory.dmp
    Filesize

    856KB

    Download
  • memory/1980-59-0x0000000000650000-0x0000000000684000-memory.dmp
    Filesize

    208KB

    Download
  • memory/1980-58-0x0000000004C95000-0x0000000004CA6000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1980-57-0x0000000004E90000-0x0000000004F36000-memory.dmp
    Filesize

    664KB

    Download
  • memory/1980-56-0x0000000004C90000-0x0000000004C91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1980-55-0x00000000749E0000-0x00000000750CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2036-72-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2036-85-0x00000000749E0000-0x00000000750CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2036-68-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2036-87-0x0000000004D90000-0x0000000004D91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2036-75-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2036-82-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2036-84-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2036-78-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2036-66-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download