Analysis
-
max time kernel
125s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
28-03-2022 21:52
Static task
static1
Behavioral task
behavioral1
Sample
main.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
main.exe
Resource
win10v2004-en-20220113
General
-
Target
main.exe
-
Size
29.8MB
-
MD5
05eddf246ff3900650373bab2a45f8f1
-
SHA1
4b1aa434604bacd73857ee1058610ff442ed124f
-
SHA256
69db77173df272098da80c4bdff6147536b851809cfb2116fc0085bfc885a663
-
SHA512
8ff0d35ee7478dfe8a9371029d5080259d9e98548ab1119364c8a9d9292931fa0d7d85f95ede68242a682b22acac6e6499bf2c65a4d91ac04209d62e01684188
Malware Config
Extracted
redline
1877
hawler.duckdns.org:56199
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4808-155-0x0000000000A50000-0x0000000001274000-memory.dmp family_redline behavioral2/memory/4808-156-0x0000000000A50000-0x0000000001274000-memory.dmp family_redline -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4228-130-0x0000000000C00000-0x00000000029D2000-memory.dmp family_snakekeylogger C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svshost.exe family_snakekeylogger C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svshost.exe family_snakekeylogger behavioral2/memory/1624-141-0x0000000000240000-0x0000000000274000-memory.dmp family_snakekeylogger -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
svchost.exesvshost.exeupdate.execsrss.exepid process 1340 svchost.exe 1624 svshost.exe 1092 update.exe 4808 csrss.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
csrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion csrss.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
main.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation main.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe themida behavioral2/memory/4808-155-0x0000000000A50000-0x0000000001274000-memory.dmp themida behavioral2/memory/4808-156-0x0000000000A50000-0x0000000001274000-memory.dmp themida -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
svshost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svshost.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svshost.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svshost.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
main.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\update.exe" main.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Process = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrss.exe" main.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\svchost.exe" main.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\One Drive = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\svshost.exe" main.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
csrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 checkip.dyndns.org 13 freegeoip.app 14 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
csrss.exepid process 4808 csrss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
main.exepid process 4228 main.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
svshost.execsrss.exepid process 1624 svshost.exe 4808 csrss.exe 4808 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svshost.execsrss.exedescription pid process Token: SeDebugPrivilege 1624 svshost.exe Token: SeDebugPrivilege 4808 csrss.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
main.exeupdate.exefondue.exesvshost.exedescription pid process target process PID 4228 wrote to memory of 1340 4228 main.exe svchost.exe PID 4228 wrote to memory of 1340 4228 main.exe svchost.exe PID 4228 wrote to memory of 1340 4228 main.exe svchost.exe PID 4228 wrote to memory of 1624 4228 main.exe svshost.exe PID 4228 wrote to memory of 1624 4228 main.exe svshost.exe PID 4228 wrote to memory of 1624 4228 main.exe svshost.exe PID 4228 wrote to memory of 1092 4228 main.exe update.exe PID 4228 wrote to memory of 1092 4228 main.exe update.exe PID 4228 wrote to memory of 1092 4228 main.exe update.exe PID 1092 wrote to memory of 1316 1092 update.exe fondue.exe PID 1092 wrote to memory of 1316 1092 update.exe fondue.exe PID 1092 wrote to memory of 1316 1092 update.exe fondue.exe PID 4228 wrote to memory of 4808 4228 main.exe csrss.exe PID 4228 wrote to memory of 4808 4228 main.exe csrss.exe PID 4228 wrote to memory of 4808 4228 main.exe csrss.exe PID 1316 wrote to memory of 4152 1316 fondue.exe FonDUE.EXE PID 1316 wrote to memory of 4152 1316 fondue.exe FonDUE.EXE PID 1624 wrote to memory of 1132 1624 svshost.exe netsh.exe PID 1624 wrote to memory of 1132 1624 svshost.exe netsh.exe PID 1624 wrote to memory of 1132 1624 svshost.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
svshost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svshost.exe -
outlook_win_path 1 IoCs
Processes:
svshost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svshost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svchost.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svshost.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\update.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\update.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svchost.exeFilesize
30KB
MD5cd01b6f8a2e8fe00f0449df391c2f331
SHA1f3b8e7a655b312863b7b32129cb2a89a29bfc3d9
SHA2560de434935d1308a30cf592be774296e2d14bb5780b21a69ed36c6d4c77976840
SHA512752fcfce2d7f34d9be5a3bfd88169820d4b37131da67118bd7990763a4ed31890e072696da8e0840915d05054d9e491353b35ed76ac92bdb9a58a152b775cfb5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svchost.exeFilesize
30KB
MD5cd01b6f8a2e8fe00f0449df391c2f331
SHA1f3b8e7a655b312863b7b32129cb2a89a29bfc3d9
SHA2560de434935d1308a30cf592be774296e2d14bb5780b21a69ed36c6d4c77976840
SHA512752fcfce2d7f34d9be5a3bfd88169820d4b37131da67118bd7990763a4ed31890e072696da8e0840915d05054d9e491353b35ed76ac92bdb9a58a152b775cfb5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svshost.exeFilesize
171KB
MD5c9e64773ed0c170edc9a82e7ade64a4b
SHA107fb7b49207ba40f5620ced4b61dbceab1223185
SHA2568ff58b0569d87e4dd65124eb0e7e3bed83fe723e4726d3627958aa4914688e53
SHA5129b7eb0e2a1cb2e1c94580dd47b2ed312de497fa4888b3c8f49bead5c406e8e06c99ccfa503fc4194c361e6759b8795abc266618c5222efe5dbd9442d3c866cdc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svshost.exeFilesize
171KB
MD5c9e64773ed0c170edc9a82e7ade64a4b
SHA107fb7b49207ba40f5620ced4b61dbceab1223185
SHA2568ff58b0569d87e4dd65124eb0e7e3bed83fe723e4726d3627958aa4914688e53
SHA5129b7eb0e2a1cb2e1c94580dd47b2ed312de497fa4888b3c8f49bead5c406e8e06c99ccfa503fc4194c361e6759b8795abc266618c5222efe5dbd9442d3c866cdc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\update.exeFilesize
89KB
MD566379ef40063ccde19bbc3ac718d5161
SHA13e1f05f41309d57f7e3f42bc88fc68c83e2fcd5a
SHA2565331ac560de3a551bab998560159171eda960d3f6861ae882ca02216b043b27a
SHA512d71a1b2d88aa825d26a5be2bc0b28bf04443eb8ed36df5768d390a53deb7ee320c88b697b7be98c507383714ff2ca3be9947548f45552ac4375797b9851c257a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\update.exeFilesize
89KB
MD566379ef40063ccde19bbc3ac718d5161
SHA13e1f05f41309d57f7e3f42bc88fc68c83e2fcd5a
SHA2565331ac560de3a551bab998560159171eda960d3f6861ae882ca02216b043b27a
SHA512d71a1b2d88aa825d26a5be2bc0b28bf04443eb8ed36df5768d390a53deb7ee320c88b697b7be98c507383714ff2ca3be9947548f45552ac4375797b9851c257a
-
C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exeFilesize
3.0MB
MD59868cccd61dfd71cf70648324b02ffb1
SHA129c14c7576a229d7751693f7819425416dcd7cc7
SHA2568786f2138dd203ad356814abffc716882b593f630f0ab46be144609777e8ef68
SHA51259616302c9980971a3553a0d7c031f03550f4050339015c3b597fe0917502b495645248feef4047631618fae48990e4cf15bde170c7eea31d2f50501f360878e
-
C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exeFilesize
3.0MB
MD59868cccd61dfd71cf70648324b02ffb1
SHA129c14c7576a229d7751693f7819425416dcd7cc7
SHA2568786f2138dd203ad356814abffc716882b593f630f0ab46be144609777e8ef68
SHA51259616302c9980971a3553a0d7c031f03550f4050339015c3b597fe0917502b495645248feef4047631618fae48990e4cf15bde170c7eea31d2f50501f360878e
-
memory/1092-142-0x0000000000000000-mapping.dmp
-
memory/1132-151-0x0000000000000000-mapping.dmp
-
memory/1316-145-0x0000000000000000-mapping.dmp
-
memory/1340-138-0x00000000007F0000-0x0000000000800000-memory.dmpFilesize
64KB
-
memory/1340-134-0x0000000000000000-mapping.dmp
-
memory/1624-137-0x0000000000000000-mapping.dmp
-
memory/1624-152-0x00000000062B0000-0x0000000006472000-memory.dmpFilesize
1.8MB
-
memory/1624-141-0x0000000000240000-0x0000000000274000-memory.dmpFilesize
208KB
-
memory/1624-147-0x0000000004DC0000-0x0000000004E5C000-memory.dmpFilesize
624KB
-
memory/4152-150-0x0000000000000000-mapping.dmp
-
memory/4228-130-0x0000000000C00000-0x00000000029D2000-memory.dmpFilesize
29.8MB
-
memory/4228-133-0x000000000CCA0000-0x000000000CCAA000-memory.dmpFilesize
40KB
-
memory/4228-132-0x000000000BBE0000-0x000000000BC72000-memory.dmpFilesize
584KB
-
memory/4228-131-0x000000000C0B0000-0x000000000C654000-memory.dmpFilesize
5.6MB
-
memory/4808-156-0x0000000000A50000-0x0000000001274000-memory.dmpFilesize
8.1MB
-
memory/4808-155-0x0000000000A50000-0x0000000001274000-memory.dmpFilesize
8.1MB
-
memory/4808-146-0x0000000000000000-mapping.dmp
-
memory/4808-157-0x0000000076EE0000-0x0000000077083000-memory.dmpFilesize
1.6MB
-
memory/4808-158-0x0000000006620000-0x0000000006C38000-memory.dmpFilesize
6.1MB
-
memory/4808-159-0x0000000005D30000-0x0000000005D42000-memory.dmpFilesize
72KB
-
memory/4808-160-0x0000000005D90000-0x0000000005DCC000-memory.dmpFilesize
240KB
-
memory/4808-161-0x0000000006230000-0x000000000633A000-memory.dmpFilesize
1.0MB
-
memory/4808-162-0x0000000007B50000-0x000000000807C000-memory.dmpFilesize
5.2MB
-
memory/4808-163-0x0000000007620000-0x0000000007686000-memory.dmpFilesize
408KB
-
memory/4808-164-0x0000000007900000-0x0000000007976000-memory.dmpFilesize
472KB
-
memory/4808-165-0x0000000007B00000-0x0000000007B1E000-memory.dmpFilesize
120KB