Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
29-06-2022 00:32
General
-
Target
115b043cff8636bde9d054c021fe78113c21217cf7b0a895fca41dcc2b2c8f74.exe
-
Size
279KB
-
MD5
495fc2627c8267aaffc9e89de6b77e0f
-
SHA1
833e808a288c512845a62f6fbd3a1245bf6fbcfa
-
SHA256
115b043cff8636bde9d054c021fe78113c21217cf7b0a895fca41dcc2b2c8f74
-
SHA512
2321cda262836f262d6244c9cdaf27082fb7c90c986cc03d80c090893da83a161e8c7c536bd21edbd3a6b8cb75f72b56c84b1df06eea0b12a92b6d2a4d18cc41
Malware Config
Extracted
redline
mario2
193.106.191.129:80
-
auth_value
4ef7e3fec3a418b2f0233b604d0560d9
Signatures
-
RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
-
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Deletes itself 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\115b043cff8636bde9d054c021fe78113c21217cf7b0a895fca41dcc2b2c8f74.exe"C:\Users\Admin\AppData\Local\Temp\115b043cff8636bde9d054c021fe78113c21217cf7b0a895fca41dcc2b2c8f74.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\5D04.exeC:\Users\Admin\AppData\Local\Temp\5D04.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\3FB5.exeC:\Users\Admin\AppData\Local\Temp\3FB5.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.6MB
MD5a840af25865513286606284b38490add
SHA13ab6eaaa2457f3afc1a37645152a91efa95751af
SHA25626923ba499b7c445e86e76c616dee82cd5699de4bdfcf61d3e09562b36f2fbad
SHA512fec4a023ac03aa0733d6e4f11dd9f79c1329b2b73acd543e85b96d2fd32de4374a26250dd36f82919e32bd022fa3e753c8bf09cdb9e92670314ba0f7ef38ceb6
-
Filesize
6.6MB
MD5a840af25865513286606284b38490add
SHA13ab6eaaa2457f3afc1a37645152a91efa95751af
SHA25626923ba499b7c445e86e76c616dee82cd5699de4bdfcf61d3e09562b36f2fbad
SHA512fec4a023ac03aa0733d6e4f11dd9f79c1329b2b73acd543e85b96d2fd32de4374a26250dd36f82919e32bd022fa3e753c8bf09cdb9e92670314ba0f7ef38ceb6
-
Filesize
1.6MB
MD5df9cc49add3e01f23c63b0f73469f752
SHA16f8199ae9280e13671f5eb5715b093cd93f6732e
SHA256b18d30fdfaa2f3469131da279fe2a64ed3cf6c1cbc8785ea1ba6e7596ae85419
SHA51209100b76b4d0ba5a417da4a68977ed0a9eba8563cc5866e0cf912234ebded7598c482967e1812c143868c43c49eb882f82588dfafc041698b814c564decfc9b5
-
Filesize
1.6MB
MD5df9cc49add3e01f23c63b0f73469f752
SHA16f8199ae9280e13671f5eb5715b093cd93f6732e
SHA256b18d30fdfaa2f3469131da279fe2a64ed3cf6c1cbc8785ea1ba6e7596ae85419
SHA51209100b76b4d0ba5a417da4a68977ed0a9eba8563cc5866e0cf912234ebded7598c482967e1812c143868c43c49eb882f82588dfafc041698b814c564decfc9b5
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.3MB
-
Filesize
36KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
36KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
464KB
-
Filesize
428KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
4.0MB
-
Filesize
1.4MB
-
Filesize
4.0MB
-
Filesize
1.4MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.3MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
48KB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
1.0MB
-
Filesize
320KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
5.0MB
-
Filesize
120KB
-
Filesize
72KB
-
Filesize
6.0MB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
128KB
-
Filesize
408KB