Overview

overview

10

Static

static

10

bc9964b04c...1e.exe

windows7_x64

10

bc9964b04c...1e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    96s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-04-2022 00:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc9964b04c2c38eb8fab28aae525071e.exe

  • Size

    106KB

  • MD5

    bc9964b04c2c38eb8fab28aae525071e

  • SHA1

    62599cf43426898880b02997370780db75a157bf

  • SHA256

    deceeec4d99e6b4b70de57d6ee732b1f70e6cbb9ea27d0bb7304fd51b1ca0b2d

  • SHA512

    388c8136ee8e78c31266ac7b56ea177573fae7f6935fc6fce399fa724b68b57fb094fc6f0ef6d84e1b92566b48693108cfb7c18b4917c63f1086c5441c19a46f

Score
10/10
redline7discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

7

C2

49.12.222.31:8854

Attributes
  • auth_value

    811329e6a45eab1a6b331f7b5c15ef6d

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc9964b04c2c38eb8fab28aae525071e.exe
    "C:\Users\Admin\AppData\Local\Temp\bc9964b04c2c38eb8fab28aae525071e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3656
    • C:\Users\Admin\AppData\Local\Temp\exe.exe
      "C:\Users\Admin\AppData\Local\Temp\exe.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\exe.exe
    Filesize

    2.0MB

    MD5

    2c34d1bf1f3672b5f05c88b6196a3afb

    SHA1

    9e3808163d2ef983243053daf1004bcef1e3adf4

    SHA256

    fb62b0e284bddf9a8cf125e945a06f6687c783768690db4ed4e490e858272496

    SHA512

    ad209a25b716e03faa299b5289fce4a3d3beddc35b10373288c5668de849dd2028614306ad10181c9b05d448fd25ea73bb01fb1df465e4cef5e1ade635775703

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\exe.exe
    Filesize

    2.0MB

    MD5

    2c34d1bf1f3672b5f05c88b6196a3afb

    SHA1

    9e3808163d2ef983243053daf1004bcef1e3adf4

    SHA256

    fb62b0e284bddf9a8cf125e945a06f6687c783768690db4ed4e490e858272496

    SHA512

    ad209a25b716e03faa299b5289fce4a3d3beddc35b10373288c5668de849dd2028614306ad10181c9b05d448fd25ea73bb01fb1df465e4cef5e1ade635775703

    Download Submit
  • memory/3592-143-0x0000000000000000-mapping.dmp
    Download
  • memory/3656-138-0x00000000066E0000-0x0000000006756000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3656-134-0x0000000005720000-0x000000000575C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3656-135-0x00000000067F0000-0x0000000006D94000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3656-136-0x0000000006240000-0x00000000062D2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3656-137-0x0000000005B80000-0x0000000005BE6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3656-130-0x0000000000D30000-0x0000000000D50000-memory.dmp
    Filesize

    128KB

    Download
  • memory/3656-139-0x0000000006760000-0x000000000677E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3656-140-0x0000000007250000-0x0000000007412000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3656-141-0x0000000007950000-0x0000000007E7C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/3656-142-0x0000000002FD0000-0x0000000003020000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3656-133-0x00000000057F0000-0x00000000058FA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3656-132-0x00000000056C0000-0x00000000056D2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3656-131-0x0000000005C20000-0x0000000006238000-memory.dmp
    Filesize

    6.1MB

    Download