Analysis
-
max time kernel
112s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
01-04-2022 11:46
Static task
static1
Behavioral task
behavioral1
Sample
RQF #00811-AL WASL.exe
Resource
win7-20220310-en
General
-
Target
RQF #00811-AL WASL.exe
-
Size
1.5MB
-
MD5
d870373e2ffd2b1788beaec4582f3f3d
-
SHA1
5553327f2dd0792f4d2f2171a8fb7122ecfb18fb
-
SHA256
64e046a94ea6f31a4a2cf9c77dc6e4f0d9e7455705668e8b354057c1d04f9b55
-
SHA512
b2726b8c92946e84749682dd5cb3f32e12a449f539bdfe3ae31c1c6a71974d0bcef61468e8564fa1447714fc2b62401578acf7db0ac54e312f6e88977b426bdf
Malware Config
Extracted
redline
jd
96.47.234.207:15286
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2220-136-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
RQF #00811-AL WASL.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RQF #00811-AL WASL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RQF #00811-AL WASL.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
RQF #00811-AL WASL.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum RQF #00811-AL WASL.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 RQF #00811-AL WASL.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RQF #00811-AL WASL.exedescription pid process target process PID 4456 set thread context of 2220 4456 RQF #00811-AL WASL.exe RQF #00811-AL WASL.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
RQF #00811-AL WASL.exeRQF #00811-AL WASL.exepid process 4456 RQF #00811-AL WASL.exe 4456 RQF #00811-AL WASL.exe 4456 RQF #00811-AL WASL.exe 4456 RQF #00811-AL WASL.exe 4456 RQF #00811-AL WASL.exe 4456 RQF #00811-AL WASL.exe 4456 RQF #00811-AL WASL.exe 4456 RQF #00811-AL WASL.exe 4456 RQF #00811-AL WASL.exe 4456 RQF #00811-AL WASL.exe 4456 RQF #00811-AL WASL.exe 4456 RQF #00811-AL WASL.exe 2220 RQF #00811-AL WASL.exe 2220 RQF #00811-AL WASL.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RQF #00811-AL WASL.exeRQF #00811-AL WASL.exedescription pid process Token: SeDebugPrivilege 4456 RQF #00811-AL WASL.exe Token: SeDebugPrivilege 2220 RQF #00811-AL WASL.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
RQF #00811-AL WASL.exedescription pid process target process PID 4456 wrote to memory of 1688 4456 RQF #00811-AL WASL.exe RQF #00811-AL WASL.exe PID 4456 wrote to memory of 1688 4456 RQF #00811-AL WASL.exe RQF #00811-AL WASL.exe PID 4456 wrote to memory of 1688 4456 RQF #00811-AL WASL.exe RQF #00811-AL WASL.exe PID 4456 wrote to memory of 2220 4456 RQF #00811-AL WASL.exe RQF #00811-AL WASL.exe PID 4456 wrote to memory of 2220 4456 RQF #00811-AL WASL.exe RQF #00811-AL WASL.exe PID 4456 wrote to memory of 2220 4456 RQF #00811-AL WASL.exe RQF #00811-AL WASL.exe PID 4456 wrote to memory of 2220 4456 RQF #00811-AL WASL.exe RQF #00811-AL WASL.exe PID 4456 wrote to memory of 2220 4456 RQF #00811-AL WASL.exe RQF #00811-AL WASL.exe PID 4456 wrote to memory of 2220 4456 RQF #00811-AL WASL.exe RQF #00811-AL WASL.exe PID 4456 wrote to memory of 2220 4456 RQF #00811-AL WASL.exe RQF #00811-AL WASL.exe PID 4456 wrote to memory of 2220 4456 RQF #00811-AL WASL.exe RQF #00811-AL WASL.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RQF #00811-AL WASL.exe"C:\Users\Admin\AppData\Local\Temp\RQF #00811-AL WASL.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RQF #00811-AL WASL.exe"C:\Users\Admin\AppData\Local\Temp\RQF #00811-AL WASL.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\RQF #00811-AL WASL.exe"C:\Users\Admin\AppData\Local\Temp\RQF #00811-AL WASL.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RQF #00811-AL WASL.exe.logFilesize
709B
MD5a1ef6491d8da3aeba79b1fb9dae7ee67
SHA15770f6bc40729e2a1bd992c63f0cad37f895b551
SHA256f7f9fadcb15620a0c2c37b15c7384fe41151b9df9496bd0aa61e04e3c768bd4e
SHA512371d5c32bf0cced0cde23bad056d25f79f3361059a571ba2cbd9b56b1a19c76849db55256de7028b6020a6ae6b6f215892a8816bad48452cce6f080e6ef5c1e6
-
memory/1688-134-0x0000000000000000-mapping.dmp
-
memory/2220-138-0x0000000005110000-0x0000000005122000-memory.dmpFilesize
72KB
-
memory/2220-139-0x0000000005170000-0x00000000051AC000-memory.dmpFilesize
240KB
-
memory/2220-145-0x0000000007410000-0x000000000742E000-memory.dmpFilesize
120KB
-
memory/2220-135-0x0000000000000000-mapping.dmp
-
memory/2220-136-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2220-137-0x0000000005730000-0x0000000005D48000-memory.dmpFilesize
6.1MB
-
memory/2220-144-0x0000000006CC0000-0x0000000006D36000-memory.dmpFilesize
472KB
-
memory/2220-143-0x0000000006A20000-0x0000000006AB2000-memory.dmpFilesize
584KB
-
memory/2220-140-0x00000000053F0000-0x00000000054FA000-memory.dmpFilesize
1.0MB
-
memory/2220-141-0x00000000066E0000-0x00000000068A2000-memory.dmpFilesize
1.8MB
-
memory/2220-142-0x0000000006DE0000-0x000000000730C000-memory.dmpFilesize
5.2MB
-
memory/4456-133-0x0000000005360000-0x00000000053C6000-memory.dmpFilesize
408KB
-
memory/4456-130-0x00000000003F0000-0x000000000056C000-memory.dmpFilesize
1.5MB
-
memory/4456-132-0x0000000005830000-0x0000000005DD4000-memory.dmpFilesize
5.6MB
-
memory/4456-131-0x0000000004E90000-0x0000000004F2C000-memory.dmpFilesize
624KB