Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    10-05-2022 14:56

General

  • Target

    3a339de235242061e8af92ed17d9838e.exe

  • Size

    4MB

  • MD5

    3a339de235242061e8af92ed17d9838e

  • SHA1

    0a697ae927bb4167ae2fca4ebb38d9926843c4ea

  • SHA256

    8992d2265f134a8d823d152e745f2fce0c7a2b4fa05bdb6f52e880e03abc20e2

  • SHA512

    3ab0b8fb77a8916e418a08077165c2de1893b7a755042c08d7ba7b591837fc4b26172c19a6c81d9eb4c1bbebdd62097abf66f4105c40eb6e6d7ad3b88c71aee1

Malware Config

Extracted

Family

redline

Botnet

install

C2

31.41.244.92:6188

Attributes
auth_value
eb23a0ca5a38a3bf1eb16b2f08524f35

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload ⋅ 1 IoCs
  • Executes dropped EXE ⋅ 2 IoCs
  • UPX packed file ⋅ 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL ⋅ 3 IoCs
  • Reads user/profile data of web browsers ⋅ 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting ⋅ 2 TTPs
  • Checks installed software on the system ⋅ 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses ⋅ 3 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a339de235242061e8af92ed17d9838e.exe
    "C:\Users\Admin\AppData\Local\Temp\3a339de235242061e8af92ed17d9838e.exe"
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Users\Admin\AppData\Roaming\dsf.exe
      C:\Users\Admin\AppData\Roaming\dsf.exe
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1448
    • C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exe
      C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exe
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exe
        Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Windows\system32\choice.exe
          choice /C Y /N /D Y /T 0
          PID:436

Network

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

      Execution

        Exfiltration

          Impact

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\dsf.exe
                      MD5

                      50a3d597e7dd7a7cc9027f31fdf37e9b

                      SHA1

                      8e312f2d1f45ef6c689c71dd1983da2622dc3a74

                      SHA256

                      fd5681cdb263b7cd8de85c81bcf9fdf4263efadac6b280fa05827a78c61a9e81

                      SHA512

                      041bbcba298e82620d5ca8ea49b828003479e41a5e12251effb75ca735b3e7664bc8812300ce4f3fbff9dfe16783cd5cf38e143ec61586de89113cd149b950c9

                    • C:\Users\Admin\AppData\Roaming\dsf.exe
                      MD5

                      50a3d597e7dd7a7cc9027f31fdf37e9b

                      SHA1

                      8e312f2d1f45ef6c689c71dd1983da2622dc3a74

                      SHA256

                      fd5681cdb263b7cd8de85c81bcf9fdf4263efadac6b280fa05827a78c61a9e81

                      SHA512

                      041bbcba298e82620d5ca8ea49b828003479e41a5e12251effb75ca735b3e7664bc8812300ce4f3fbff9dfe16783cd5cf38e143ec61586de89113cd149b950c9

                    • C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exe
                      MD5

                      5a4e5454977ef57754968be2b696adcf

                      SHA1

                      0a008f2cff955a31ad28efa8638c1aa7a31a1fde

                      SHA256

                      2a58e995450c2b5c22e73386a861933ed0c11f34cab59eec2076dff6291d1a1b

                      SHA512

                      861f29bcef1493642f6cd67e5af7ebcc808dbee71c246661b2589cc1fa194590aed61a913a834a96b49c5c4e67a08c69ed412817bb5707af6f38a5ca7661b6bf

                    • C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exe
                      MD5

                      5a4e5454977ef57754968be2b696adcf

                      SHA1

                      0a008f2cff955a31ad28efa8638c1aa7a31a1fde

                      SHA256

                      2a58e995450c2b5c22e73386a861933ed0c11f34cab59eec2076dff6291d1a1b

                      SHA512

                      861f29bcef1493642f6cd67e5af7ebcc808dbee71c246661b2589cc1fa194590aed61a913a834a96b49c5c4e67a08c69ed412817bb5707af6f38a5ca7661b6bf

                    • \Users\Admin\AppData\Roaming\dsf.exe
                      MD5

                      50a3d597e7dd7a7cc9027f31fdf37e9b

                      SHA1

                      8e312f2d1f45ef6c689c71dd1983da2622dc3a74

                      SHA256

                      fd5681cdb263b7cd8de85c81bcf9fdf4263efadac6b280fa05827a78c61a9e81

                      SHA512

                      041bbcba298e82620d5ca8ea49b828003479e41a5e12251effb75ca735b3e7664bc8812300ce4f3fbff9dfe16783cd5cf38e143ec61586de89113cd149b950c9

                    • \Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exe
                      MD5

                      5a4e5454977ef57754968be2b696adcf

                      SHA1

                      0a008f2cff955a31ad28efa8638c1aa7a31a1fde

                      SHA256

                      2a58e995450c2b5c22e73386a861933ed0c11f34cab59eec2076dff6291d1a1b

                      SHA512

                      861f29bcef1493642f6cd67e5af7ebcc808dbee71c246661b2589cc1fa194590aed61a913a834a96b49c5c4e67a08c69ed412817bb5707af6f38a5ca7661b6bf

                    • \Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exe
                      MD5

                      5a4e5454977ef57754968be2b696adcf

                      SHA1

                      0a008f2cff955a31ad28efa8638c1aa7a31a1fde

                      SHA256

                      2a58e995450c2b5c22e73386a861933ed0c11f34cab59eec2076dff6291d1a1b

                      SHA512

                      861f29bcef1493642f6cd67e5af7ebcc808dbee71c246661b2589cc1fa194590aed61a913a834a96b49c5c4e67a08c69ed412817bb5707af6f38a5ca7661b6bf

                    • memory/436-67-0x0000000000000000-mapping.dmp
                    • memory/1212-61-0x0000000000000000-mapping.dmp
                    • memory/1448-63-0x0000000000C20000-0x0000000000C38000-memory.dmp
                    • memory/1448-64-0x0000000000280000-0x00000000002A0000-memory.dmp
                    • memory/1448-56-0x0000000000000000-mapping.dmp
                    • memory/1728-66-0x0000000000000000-mapping.dmp
                    • memory/1964-54-0x0000000075F61000-0x0000000075F63000-memory.dmp