Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
10-05-2022 14:56
Static task
static1
Behavioral task
behavioral1
Sample
3a339de235242061e8af92ed17d9838e.exe
Resource
win7-20220414-en
General
-
Target
3a339de235242061e8af92ed17d9838e.exe
-
Size
4.1MB
-
MD5
3a339de235242061e8af92ed17d9838e
-
SHA1
0a697ae927bb4167ae2fca4ebb38d9926843c4ea
-
SHA256
8992d2265f134a8d823d152e745f2fce0c7a2b4fa05bdb6f52e880e03abc20e2
-
SHA512
3ab0b8fb77a8916e418a08077165c2de1893b7a755042c08d7ba7b591837fc4b26172c19a6c81d9eb4c1bbebdd62097abf66f4105c40eb6e6d7ad3b88c71aee1
Malware Config
Extracted
redline
install
31.41.244.92:6188
-
auth_value
eb23a0ca5a38a3bf1eb16b2f08524f35
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1448-64-0x0000000000280000-0x00000000002A0000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
Processes:
dsf.exeyaeblan_v0.7b_windows_64.exepid process 1448 dsf.exe 1212 yaeblan_v0.7b_windows_64.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exe upx \Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exe upx C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exe upx C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exe upx -
Loads dropped DLL 3 IoCs
Processes:
3a339de235242061e8af92ed17d9838e.exepid process 1964 3a339de235242061e8af92ed17d9838e.exe 1964 3a339de235242061e8af92ed17d9838e.exe 1964 3a339de235242061e8af92ed17d9838e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
yaeblan_v0.7b_windows_64.exedsf.exepid process 1212 yaeblan_v0.7b_windows_64.exe 1212 yaeblan_v0.7b_windows_64.exe 1448 dsf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dsf.exedescription pid process Token: SeDebugPrivilege 1448 dsf.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
3a339de235242061e8af92ed17d9838e.exeyaeblan_v0.7b_windows_64.execmd.exedescription pid process target process PID 1964 wrote to memory of 1448 1964 3a339de235242061e8af92ed17d9838e.exe dsf.exe PID 1964 wrote to memory of 1448 1964 3a339de235242061e8af92ed17d9838e.exe dsf.exe PID 1964 wrote to memory of 1448 1964 3a339de235242061e8af92ed17d9838e.exe dsf.exe PID 1964 wrote to memory of 1448 1964 3a339de235242061e8af92ed17d9838e.exe dsf.exe PID 1964 wrote to memory of 1212 1964 3a339de235242061e8af92ed17d9838e.exe yaeblan_v0.7b_windows_64.exe PID 1964 wrote to memory of 1212 1964 3a339de235242061e8af92ed17d9838e.exe yaeblan_v0.7b_windows_64.exe PID 1964 wrote to memory of 1212 1964 3a339de235242061e8af92ed17d9838e.exe yaeblan_v0.7b_windows_64.exe PID 1964 wrote to memory of 1212 1964 3a339de235242061e8af92ed17d9838e.exe yaeblan_v0.7b_windows_64.exe PID 1212 wrote to memory of 1728 1212 yaeblan_v0.7b_windows_64.exe cmd.exe PID 1212 wrote to memory of 1728 1212 yaeblan_v0.7b_windows_64.exe cmd.exe PID 1212 wrote to memory of 1728 1212 yaeblan_v0.7b_windows_64.exe cmd.exe PID 1728 wrote to memory of 436 1728 cmd.exe choice.exe PID 1728 wrote to memory of 436 1728 cmd.exe choice.exe PID 1728 wrote to memory of 436 1728 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a339de235242061e8af92ed17d9838e.exe"C:\Users\Admin\AppData\Local\Temp\3a339de235242061e8af92ed17d9838e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dsf.exeC:\Users\Admin\AppData\Roaming\dsf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exeC:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 04⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\dsf.exeFilesize
67KB
MD550a3d597e7dd7a7cc9027f31fdf37e9b
SHA18e312f2d1f45ef6c689c71dd1983da2622dc3a74
SHA256fd5681cdb263b7cd8de85c81bcf9fdf4263efadac6b280fa05827a78c61a9e81
SHA512041bbcba298e82620d5ca8ea49b828003479e41a5e12251effb75ca735b3e7664bc8812300ce4f3fbff9dfe16783cd5cf38e143ec61586de89113cd149b950c9
-
C:\Users\Admin\AppData\Roaming\dsf.exeFilesize
67KB
MD550a3d597e7dd7a7cc9027f31fdf37e9b
SHA18e312f2d1f45ef6c689c71dd1983da2622dc3a74
SHA256fd5681cdb263b7cd8de85c81bcf9fdf4263efadac6b280fa05827a78c61a9e81
SHA512041bbcba298e82620d5ca8ea49b828003479e41a5e12251effb75ca735b3e7664bc8812300ce4f3fbff9dfe16783cd5cf38e143ec61586de89113cd149b950c9
-
C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exeFilesize
4.0MB
MD55a4e5454977ef57754968be2b696adcf
SHA10a008f2cff955a31ad28efa8638c1aa7a31a1fde
SHA2562a58e995450c2b5c22e73386a861933ed0c11f34cab59eec2076dff6291d1a1b
SHA512861f29bcef1493642f6cd67e5af7ebcc808dbee71c246661b2589cc1fa194590aed61a913a834a96b49c5c4e67a08c69ed412817bb5707af6f38a5ca7661b6bf
-
C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exeFilesize
4.0MB
MD55a4e5454977ef57754968be2b696adcf
SHA10a008f2cff955a31ad28efa8638c1aa7a31a1fde
SHA2562a58e995450c2b5c22e73386a861933ed0c11f34cab59eec2076dff6291d1a1b
SHA512861f29bcef1493642f6cd67e5af7ebcc808dbee71c246661b2589cc1fa194590aed61a913a834a96b49c5c4e67a08c69ed412817bb5707af6f38a5ca7661b6bf
-
\Users\Admin\AppData\Roaming\dsf.exeFilesize
67KB
MD550a3d597e7dd7a7cc9027f31fdf37e9b
SHA18e312f2d1f45ef6c689c71dd1983da2622dc3a74
SHA256fd5681cdb263b7cd8de85c81bcf9fdf4263efadac6b280fa05827a78c61a9e81
SHA512041bbcba298e82620d5ca8ea49b828003479e41a5e12251effb75ca735b3e7664bc8812300ce4f3fbff9dfe16783cd5cf38e143ec61586de89113cd149b950c9
-
\Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exeFilesize
4.0MB
MD55a4e5454977ef57754968be2b696adcf
SHA10a008f2cff955a31ad28efa8638c1aa7a31a1fde
SHA2562a58e995450c2b5c22e73386a861933ed0c11f34cab59eec2076dff6291d1a1b
SHA512861f29bcef1493642f6cd67e5af7ebcc808dbee71c246661b2589cc1fa194590aed61a913a834a96b49c5c4e67a08c69ed412817bb5707af6f38a5ca7661b6bf
-
\Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exeFilesize
4.0MB
MD55a4e5454977ef57754968be2b696adcf
SHA10a008f2cff955a31ad28efa8638c1aa7a31a1fde
SHA2562a58e995450c2b5c22e73386a861933ed0c11f34cab59eec2076dff6291d1a1b
SHA512861f29bcef1493642f6cd67e5af7ebcc808dbee71c246661b2589cc1fa194590aed61a913a834a96b49c5c4e67a08c69ed412817bb5707af6f38a5ca7661b6bf
-
memory/436-67-0x0000000000000000-mapping.dmp
-
memory/1212-61-0x0000000000000000-mapping.dmp
-
memory/1448-63-0x0000000000C20000-0x0000000000C38000-memory.dmpFilesize
96KB
-
memory/1448-64-0x0000000000280000-0x00000000002A0000-memory.dmpFilesize
128KB
-
memory/1448-56-0x0000000000000000-mapping.dmp
-
memory/1728-66-0x0000000000000000-mapping.dmp
-
memory/1964-54-0x0000000075F61000-0x0000000075F63000-memory.dmpFilesize
8KB