Overview

overview

10

Static

static

6001765828...b1.exe

windows7_x64

10

6001765828...b1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-04-2022 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6001765828ad44213832ba7b000e05a4eaa199ccc4406211bd3254ee37198db1.exe

  • Size

    778KB

  • MD5

    687c3434460c67dd5e2ff065b3861104

  • SHA1

    662479ca2b8f7f57e08cbb9c58bda2f81285c3e7

  • SHA256

    6001765828ad44213832ba7b000e05a4eaa199ccc4406211bd3254ee37198db1

  • SHA512

    798fc8a7eb6ac5e18369edfd20cfac48b6776cf5c8eb36cdbf3e90ae2cc6a64080a59b25d86820361373677d3e26a6bf21e1c5b0058b372ff7d1eda0524cd534

Score
10/10
metastealerredlinediscoveryinfostealerspywarestealer

Malware Config

Signatures

  • Meta Stealer Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6001765828ad44213832ba7b000e05a4eaa199ccc4406211bd3254ee37198db1.exe
    "C:\Users\Admin\AppData\Local\Temp\6001765828ad44213832ba7b000e05a4eaa199ccc4406211bd3254ee37198db1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Users\Admin\AppData\Local\Temp\6001765828ad44213832ba7b000e05a4eaa199ccc4406211bd3254ee37198db1.exe
      "C:\Users\Admin\AppData\Local\Temp\6001765828ad44213832ba7b000e05a4eaa199ccc4406211bd3254ee37198db1.exe"
      2⤵
        PID:2264
      • C:\Users\Admin\AppData\Local\Temp\6001765828ad44213832ba7b000e05a4eaa199ccc4406211bd3254ee37198db1.exe
        "C:\Users\Admin\AppData\Local\Temp\6001765828ad44213832ba7b000e05a4eaa199ccc4406211bd3254ee37198db1.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1040

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6001765828ad44213832ba7b000e05a4eaa199ccc4406211bd3254ee37198db1.exe.log
      Filesize

      700B

      MD5

      20c5ad8f8aca8dc8c1c6ea73fe22a372

      SHA1

      7d50d93e1c109ea1fb26222b853d130e50cf5c44

      SHA256

      cb68eb943e4b793e2c02a2d20ffa600ed10921527234d8750f52a62a81e80c66

      SHA512

      49c289e45900953119fe386b27cac7fe98fe203759876361ec2f453a92163bdf4f5d527d7f9d02e9c54ccc0feb6e64764ab481081d4e29d5502d0be776c43868

      Download Submit

    • memory/1040-142-0x0000000006610000-0x00000000066A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1040-139-0x0000000005750000-0x0000000005762000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1040-147-0x0000000008F30000-0x0000000008FCC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1040-140-0x00000000057B0000-0x00000000057EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1040-136-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1040-146-0x0000000008E40000-0x0000000008E90000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1040-141-0x0000000005A50000-0x0000000005B5A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1040-145-0x00000000076B0000-0x0000000007716000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1040-144-0x0000000007AE0000-0x000000000800C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1040-138-0x0000000005E50000-0x0000000006468000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1040-143-0x00000000073E0000-0x00000000075A2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1512-130-0x0000000000250000-0x0000000000318000-memory.dmp

      Filesize

      800KB

      Download

    • memory/1512-132-0x000000000A9F0000-0x000000000AF94000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1512-133-0x000000000A340000-0x000000000A35E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1512-131-0x000000000A3C0000-0x000000000A436000-memory.dmp

      Filesize

      472KB

      Download