Overview

overview

10

Static

static

a410935df7...7c.exe

windows7_x64

10

a410935df7...7c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    14-04-2022 15:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a410935df72f79ea065d92b0036b287c.exe

  • Size

    4.5MB

  • MD5

    a410935df72f79ea065d92b0036b287c

  • SHA1

    28465a4ab42d116fe260e103557b60dca92e02ce

  • SHA256

    98fea55f7585644b6f43651491e22f91fd57a1b99c4320c11a0f67ce7c486885

  • SHA512

    359f3c9af3a2968a0be4952bc2b286db670e546ac0232a0c0ac6fe39347c485e1ac140755be5c9e45606f5a02354802b1a6699bccf6e56ad1435105471c6d03d

Score
10/10
metastealerredline10evasioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

10

C2

185.183.32.227:80

Attributes
  • auth_value

    187348b4b0ba6b71d26eaf47eb720dc2

Signatures

  • Meta Stealer Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a410935df72f79ea065d92b0036b287c.exe
    "C:\Users\Admin\AppData\Local\Temp\a410935df72f79ea065d92b0036b287c.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4772-147-0x0000000005650000-0x000000000568C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4772-149-0x0000000007010000-0x00000000075B4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4772-139-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4772-144-0x0000000005AD0000-0x00000000060E8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4772-145-0x0000000005570000-0x0000000005582000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4772-146-0x00000000056A0000-0x00000000057AA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4772-138-0x0000000000000000-mapping.dmp
    Download
  • memory/4772-148-0x00000000068E0000-0x0000000006946000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4772-155-0x0000000007C60000-0x0000000007CB0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4772-150-0x0000000006B50000-0x0000000006BE2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4772-151-0x0000000006BF0000-0x0000000006C66000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4772-152-0x0000000006F10000-0x0000000006F2E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4772-153-0x0000000007890000-0x0000000007A52000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4772-154-0x0000000007F90000-0x00000000084BC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4780-134-0x0000000000400000-0x0000000000D5F000-memory.dmp
    Filesize

    9.4MB

    Download