Overview

overview

10

Static

static

10

bc9964b04c...1e.exe

windows7_x64

10

bc9964b04c...1e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    44s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-04-2022 00:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc9964b04c2c38eb8fab28aae525071e.exe

  • Size

    106KB

  • MD5

    bc9964b04c2c38eb8fab28aae525071e

  • SHA1

    62599cf43426898880b02997370780db75a157bf

  • SHA256

    deceeec4d99e6b4b70de57d6ee732b1f70e6cbb9ea27d0bb7304fd51b1ca0b2d

  • SHA512

    388c8136ee8e78c31266ac7b56ea177573fae7f6935fc6fce399fa724b68b57fb094fc6f0ef6d84e1b92566b48693108cfb7c18b4917c63f1086c5441c19a46f

Score
10/10
redline7discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

7

C2

49.12.222.31:8854

Attributes
  • auth_value

    811329e6a45eab1a6b331f7b5c15ef6d

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc9964b04c2c38eb8fab28aae525071e.exe
    "C:\Users\Admin\AppData\Local\Temp\bc9964b04c2c38eb8fab28aae525071e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Local\Temp\exe.exe
      "C:\Users\Admin\AppData\Local\Temp\exe.exe"
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\exe.exe
    Filesize

    2.0MB

    MD5

    2c34d1bf1f3672b5f05c88b6196a3afb

    SHA1

    9e3808163d2ef983243053daf1004bcef1e3adf4

    SHA256

    fb62b0e284bddf9a8cf125e945a06f6687c783768690db4ed4e490e858272496

    SHA512

    ad209a25b716e03faa299b5289fce4a3d3beddc35b10373288c5668de849dd2028614306ad10181c9b05d448fd25ea73bb01fb1df465e4cef5e1ade635775703

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\exe.exe
    Filesize

    2.0MB

    MD5

    2c34d1bf1f3672b5f05c88b6196a3afb

    SHA1

    9e3808163d2ef983243053daf1004bcef1e3adf4

    SHA256

    fb62b0e284bddf9a8cf125e945a06f6687c783768690db4ed4e490e858272496

    SHA512

    ad209a25b716e03faa299b5289fce4a3d3beddc35b10373288c5668de849dd2028614306ad10181c9b05d448fd25ea73bb01fb1df465e4cef5e1ade635775703

    Download Submit
  • \Users\Admin\AppData\Local\Temp\exe.exe
    Filesize

    2.0MB

    MD5

    2c34d1bf1f3672b5f05c88b6196a3afb

    SHA1

    9e3808163d2ef983243053daf1004bcef1e3adf4

    SHA256

    fb62b0e284bddf9a8cf125e945a06f6687c783768690db4ed4e490e858272496

    SHA512

    ad209a25b716e03faa299b5289fce4a3d3beddc35b10373288c5668de849dd2028614306ad10181c9b05d448fd25ea73bb01fb1df465e4cef5e1ade635775703

    Download Submit
  • memory/428-56-0x0000000000000000-mapping.dmp
    Download
  • memory/428-58-0x0000000075381000-0x0000000075383000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1992-54-0x0000000000A70000-0x0000000000A90000-memory.dmp
    Filesize

    128KB

    Download