Analysis
-
max time kernel
107s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-06-2022 07:27
Static task
static1
Behavioral task
behavioral1
Sample
0b757d38d347d1f763f59ab7f0423ae8.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0b757d38d347d1f763f59ab7f0423ae8.exe
Resource
win10v2004-20220414-en
General
-
Target
0b757d38d347d1f763f59ab7f0423ae8.exe
-
Size
406KB
-
MD5
0b757d38d347d1f763f59ab7f0423ae8
-
SHA1
fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577
-
SHA256
2105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124
-
SHA512
0b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94
Malware Config
Extracted
redline
X
194.127.179.35:35180
-
auth_value
76e43cff05002e5f6e3334fa7946e404
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1180-136-0x000000000041ADAE-mapping.dmp family_redline behavioral2/memory/1180-142-0x00000000005C0000-0x00000000005E0000-memory.dmp family_redline behavioral2/memory/4456-164-0x000000000041ADAE-mapping.dmp family_redline behavioral2/memory/4592-174-0x000000000041ADAE-mapping.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
WinRar Activator.exechromedrivers32.exechromedrivers32.exepid process 3828 WinRar Activator.exe 880 chromedrivers32.exe 3012 chromedrivers32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0b757d38d347d1f763f59ab7f0423ae8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 0b757d38d347d1f763f59ab7f0423ae8.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
0b757d38d347d1f763f59ab7f0423ae8.exechromedrivers32.exechromedrivers32.exedescription pid process target process PID 3016 set thread context of 1180 3016 0b757d38d347d1f763f59ab7f0423ae8.exe vbc.exe PID 880 set thread context of 4456 880 chromedrivers32.exe vbc.exe PID 3012 set thread context of 4592 3012 chromedrivers32.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4108 schtasks.exe 4124 schtasks.exe 3892 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 1180 vbc.exe 4456 vbc.exe 4592 vbc.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
0b757d38d347d1f763f59ab7f0423ae8.exepid process 3016 0b757d38d347d1f763f59ab7f0423ae8.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WinRar Activator.exevbc.exevbc.exevbc.exedescription pid process Token: SeDebugPrivilege 3828 WinRar Activator.exe Token: SeDebugPrivilege 1180 vbc.exe Token: SeDebugPrivilege 4456 vbc.exe Token: SeDebugPrivilege 4592 vbc.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
0b757d38d347d1f763f59ab7f0423ae8.execmd.exechromedrivers32.execmd.exechromedrivers32.execmd.exedescription pid process target process PID 3016 wrote to memory of 3396 3016 0b757d38d347d1f763f59ab7f0423ae8.exe cmd.exe PID 3016 wrote to memory of 3396 3016 0b757d38d347d1f763f59ab7f0423ae8.exe cmd.exe PID 3396 wrote to memory of 4124 3396 cmd.exe schtasks.exe PID 3396 wrote to memory of 4124 3396 cmd.exe schtasks.exe PID 3016 wrote to memory of 3124 3016 0b757d38d347d1f763f59ab7f0423ae8.exe cmd.exe PID 3016 wrote to memory of 3124 3016 0b757d38d347d1f763f59ab7f0423ae8.exe cmd.exe PID 3016 wrote to memory of 1180 3016 0b757d38d347d1f763f59ab7f0423ae8.exe vbc.exe PID 3016 wrote to memory of 1180 3016 0b757d38d347d1f763f59ab7f0423ae8.exe vbc.exe PID 3016 wrote to memory of 1180 3016 0b757d38d347d1f763f59ab7f0423ae8.exe vbc.exe PID 3016 wrote to memory of 1180 3016 0b757d38d347d1f763f59ab7f0423ae8.exe vbc.exe PID 3016 wrote to memory of 1180 3016 0b757d38d347d1f763f59ab7f0423ae8.exe vbc.exe PID 3016 wrote to memory of 1180 3016 0b757d38d347d1f763f59ab7f0423ae8.exe vbc.exe PID 3016 wrote to memory of 1180 3016 0b757d38d347d1f763f59ab7f0423ae8.exe vbc.exe PID 3016 wrote to memory of 1180 3016 0b757d38d347d1f763f59ab7f0423ae8.exe vbc.exe PID 3016 wrote to memory of 3828 3016 0b757d38d347d1f763f59ab7f0423ae8.exe WinRar Activator.exe PID 3016 wrote to memory of 3828 3016 0b757d38d347d1f763f59ab7f0423ae8.exe WinRar Activator.exe PID 880 wrote to memory of 1640 880 chromedrivers32.exe cmd.exe PID 880 wrote to memory of 1640 880 chromedrivers32.exe cmd.exe PID 1640 wrote to memory of 3892 1640 cmd.exe schtasks.exe PID 1640 wrote to memory of 3892 1640 cmd.exe schtasks.exe PID 880 wrote to memory of 1176 880 chromedrivers32.exe cmd.exe PID 880 wrote to memory of 1176 880 chromedrivers32.exe cmd.exe PID 880 wrote to memory of 4456 880 chromedrivers32.exe vbc.exe PID 880 wrote to memory of 4456 880 chromedrivers32.exe vbc.exe PID 880 wrote to memory of 4456 880 chromedrivers32.exe vbc.exe PID 880 wrote to memory of 4456 880 chromedrivers32.exe vbc.exe PID 880 wrote to memory of 4456 880 chromedrivers32.exe vbc.exe PID 880 wrote to memory of 4456 880 chromedrivers32.exe vbc.exe PID 880 wrote to memory of 4456 880 chromedrivers32.exe vbc.exe PID 880 wrote to memory of 4456 880 chromedrivers32.exe vbc.exe PID 3012 wrote to memory of 2964 3012 chromedrivers32.exe cmd.exe PID 3012 wrote to memory of 2964 3012 chromedrivers32.exe cmd.exe PID 2964 wrote to memory of 4108 2964 cmd.exe schtasks.exe PID 2964 wrote to memory of 4108 2964 cmd.exe schtasks.exe PID 3012 wrote to memory of 1556 3012 chromedrivers32.exe cmd.exe PID 3012 wrote to memory of 1556 3012 chromedrivers32.exe cmd.exe PID 3012 wrote to memory of 4592 3012 chromedrivers32.exe vbc.exe PID 3012 wrote to memory of 4592 3012 chromedrivers32.exe vbc.exe PID 3012 wrote to memory of 4592 3012 chromedrivers32.exe vbc.exe PID 3012 wrote to memory of 4592 3012 chromedrivers32.exe vbc.exe PID 3012 wrote to memory of 4592 3012 chromedrivers32.exe vbc.exe PID 3012 wrote to memory of 4592 3012 chromedrivers32.exe vbc.exe PID 3012 wrote to memory of 4592 3012 chromedrivers32.exe vbc.exe PID 3012 wrote to memory of 4592 3012 chromedrivers32.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b757d38d347d1f763f59ab7f0423ae8.exe"C:\Users\Admin\AppData\Local\Temp\0b757d38d347d1f763f59ab7f0423ae8.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f3⤵
- Creates scheduled task(s)
PID:4124
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\0b757d38d347d1f763f59ab7f0423ae8.exe" "C:\Users\Admin\AppData\Roaming\chromedrivers32.exe"2⤵PID:3124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
C:\Users\Admin\AppData\Local\Temp\WinRar Activator.exe"C:\Users\Admin\AppData\Local\Temp\WinRar Activator.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
-
C:\Users\Admin\AppData\Roaming\chromedrivers32.exeC:\Users\Admin\AppData\Roaming\chromedrivers32.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\system32\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f3⤵
- Creates scheduled task(s)
PID:3892
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\chromedrivers32.exe" "C:\Users\Admin\AppData\Roaming\chromedrivers32.exe"2⤵PID:1176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
C:\Users\Admin\AppData\Roaming\chromedrivers32.exeC:\Users\Admin\AppData\Roaming\chromedrivers32.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\system32\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f3⤵
- Creates scheduled task(s)
PID:4108
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\chromedrivers32.exe" "C:\Users\Admin\AppData\Roaming\chromedrivers32.exe"2⤵PID:1556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
859B
MD56e11a15fe4491ead2a94f64d3467be38
SHA19a8329fb71ddc89dae9aa174c0b44a1f646efd63
SHA256087cf6355ae9fc71eea2493b30c6b10a6775f3dd68b2cb5e07fcc13461b74248
SHA5126154e320e2556aef177fc5bfb4e5fe8fabe324af736b89db4db41e6dd51658f7f6a7d0f73c24dc6ccdc4edf14023f4a1ecd0908abac5b82cebd038a93b2fc106
-
Filesize
2KB
MD59c49939c6bad2727502a6d536f8a3516
SHA1b5eefe41d4e8fe019da07c5ca0f18651fa23934e
SHA25664ba592b4ea398f8525140a1b5693a3e9a0e899d9afae5b6d8b150190c2c4f3a
SHA51240cd10bebcc4a71f3038f8cdd6c06e9ea7b61e4758f70f80f48f31ec57b5e4e64b169a8f70cf6ed35a60e4368191e0f5dea29c049d49898334230cc148ebb477
-
Filesize
259KB
MD5f385414230d858b00cbe7ffe3daa5928
SHA104f24e4f0bab06e7d58fc39b328baf382dae9cff
SHA256b9ef9b0ae62b70c0ee11f8ff8bc87e2a7b91c2ebbd46af1a29bc5b4119145335
SHA5121f9ad4545b37f2953f1e0f9c9409cc960d7cf30d926c80fb58e92924566d20b3ecf7a971a93f998da105c5e8b36ff5a6b9de46d29a7accd0f96ed9d1c0efb8c2
-
Filesize
259KB
MD5f385414230d858b00cbe7ffe3daa5928
SHA104f24e4f0bab06e7d58fc39b328baf382dae9cff
SHA256b9ef9b0ae62b70c0ee11f8ff8bc87e2a7b91c2ebbd46af1a29bc5b4119145335
SHA5121f9ad4545b37f2953f1e0f9c9409cc960d7cf30d926c80fb58e92924566d20b3ecf7a971a93f998da105c5e8b36ff5a6b9de46d29a7accd0f96ed9d1c0efb8c2
-
Filesize
406KB
MD50b757d38d347d1f763f59ab7f0423ae8
SHA1fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577
SHA2562105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124
SHA5120b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94
-
Filesize
406KB
MD50b757d38d347d1f763f59ab7f0423ae8
SHA1fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577
SHA2562105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124
SHA5120b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94
-
Filesize
406KB
MD50b757d38d347d1f763f59ab7f0423ae8
SHA1fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577
SHA2562105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124
SHA5120b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94