Overview

overview

10

Static

static

fd0fadecf0...74.exe

windows7_x64

1

fd0fadecf0...74.exe

windows10-2004_x64

10

Resubmissions

29/06/2022, 01:00

220629-bcr4jsfdd9 10

28/06/2022, 23:36

220628-3lnw2adbgm 10

Analysis

  • max time kernel
    301s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    29/06/2022, 01:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd0fadecf054fd384b0964b72331387a79d621a90383706838713f086d12ee74.exe

  • Size

    279KB

  • MD5

    e8a3b9038499e57efa0fac179995c4eb

  • SHA1

    4584bea5ef3c4d6dd4de7bc1162ab5a3000cf6d1

  • SHA256

    fd0fadecf054fd384b0964b72331387a79d621a90383706838713f086d12ee74

  • SHA512

    063874174ab32f003a26bdf2ee7651e7ff08eeac21bcc8f122a25b840f8901fbcf6ed8289f321e817bc507a86cc54b9c8e715ccc00de12735022723175d28b13

Score
10/10
redlinemario2infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

mario2

C2

193.106.191.129:80

Attributes
  • auth_value

    4ef7e3fec3a418b2f0233b604d0560d9

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd0fadecf054fd384b0964b72331387a79d621a90383706838713f086d12ee74.exe
    "C:\Users\Admin\AppData\Local\Temp\fd0fadecf054fd384b0964b72331387a79d621a90383706838713f086d12ee74.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3980
  • C:\Users\Admin\AppData\Local\Temp\1C23.exe
    C:\Users\Admin\AppData\Local\Temp\1C23.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3336
  • C:\Users\Admin\AppData\Local\Temp\43E0.exe
    C:\Users\Admin\AppData\Local\Temp\43E0.exe
    1⤵
    • Executes dropped EXE
    PID:1524
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
      PID:5044
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 912
        2⤵
        • Program crash
        PID:2108
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5044 -ip 5044
      1⤵
        PID:2196
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe
        1⤵
          PID:2368

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1C23.exe
          Filesize

          1.6MB

          MD5

          df9cc49add3e01f23c63b0f73469f752

          SHA1

          6f8199ae9280e13671f5eb5715b093cd93f6732e

          SHA256

          b18d30fdfaa2f3469131da279fe2a64ed3cf6c1cbc8785ea1ba6e7596ae85419

          SHA512

          09100b76b4d0ba5a417da4a68977ed0a9eba8563cc5866e0cf912234ebded7598c482967e1812c143868c43c49eb882f82588dfafc041698b814c564decfc9b5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1C23.exe
          Filesize

          1.6MB

          MD5

          df9cc49add3e01f23c63b0f73469f752

          SHA1

          6f8199ae9280e13671f5eb5715b093cd93f6732e

          SHA256

          b18d30fdfaa2f3469131da279fe2a64ed3cf6c1cbc8785ea1ba6e7596ae85419

          SHA512

          09100b76b4d0ba5a417da4a68977ed0a9eba8563cc5866e0cf912234ebded7598c482967e1812c143868c43c49eb882f82588dfafc041698b814c564decfc9b5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\43E0.exe
          Filesize

          6.6MB

          MD5

          a840af25865513286606284b38490add

          SHA1

          3ab6eaaa2457f3afc1a37645152a91efa95751af

          SHA256

          26923ba499b7c445e86e76c616dee82cd5699de4bdfcf61d3e09562b36f2fbad

          SHA512

          fec4a023ac03aa0733d6e4f11dd9f79c1329b2b73acd543e85b96d2fd32de4374a26250dd36f82919e32bd022fa3e753c8bf09cdb9e92670314ba0f7ef38ceb6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\43E0.exe
          Filesize

          6.6MB

          MD5

          a840af25865513286606284b38490add

          SHA1

          3ab6eaaa2457f3afc1a37645152a91efa95751af

          SHA256

          26923ba499b7c445e86e76c616dee82cd5699de4bdfcf61d3e09562b36f2fbad

          SHA512

          fec4a023ac03aa0733d6e4f11dd9f79c1329b2b73acd543e85b96d2fd32de4374a26250dd36f82919e32bd022fa3e753c8bf09cdb9e92670314ba0f7ef38ceb6

          Download Submit

        • memory/1524-153-0x0000000000D80000-0x00000000017DC000-memory.dmp

          Filesize

          10.4MB

          Download

        • memory/1524-144-0x0000000000D80000-0x00000000017DC000-memory.dmp

          Filesize

          10.4MB

          Download

        • memory/1524-142-0x0000000000D80000-0x00000000017DC000-memory.dmp

          Filesize

          10.4MB

          Download

        • memory/2368-151-0x0000000000B90000-0x0000000000B9C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2968-137-0x0000000002D00000-0x00000000030F9000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/2968-138-0x0000000003109000-0x0000000003258000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2968-160-0x0000000003109000-0x0000000003258000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2968-145-0x0000000002D00000-0x00000000030F9000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/2968-146-0x0000000003109000-0x0000000003258000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2968-155-0x000000000E290000-0x000000000E3D5000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2968-154-0x000000000E290000-0x000000000E3D5000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3336-165-0x0000000006E20000-0x00000000073C4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3336-166-0x0000000006960000-0x00000000069F2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3336-172-0x0000000007FE0000-0x000000000850C000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/3336-171-0x00000000078E0000-0x0000000007AA2000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3336-170-0x00000000075C0000-0x0000000007610000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3336-169-0x0000000006DF0000-0x0000000006E0E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3336-168-0x0000000006BF0000-0x0000000006C66000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3336-157-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3336-159-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3336-167-0x0000000006A00000-0x0000000006A66000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3336-161-0x0000000005AF0000-0x0000000006108000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/3336-162-0x0000000005580000-0x0000000005592000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3336-163-0x00000000056B0000-0x00000000057BA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3336-164-0x00000000055E0000-0x000000000561C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3980-133-0x0000000000400000-0x0000000000B38000-memory.dmp

          Filesize

          7.2MB

          Download

        • memory/3980-132-0x0000000000400000-0x0000000000B38000-memory.dmp

          Filesize

          7.2MB

          Download

        • memory/3980-131-0x00000000001F0000-0x00000000001F9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/3980-130-0x0000000000D82000-0x0000000000D92000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5044-149-0x0000000000710000-0x000000000077B000-memory.dmp

          Filesize

          428KB

          Download

        • memory/5044-148-0x0000000000780000-0x00000000007F4000-memory.dmp

          Filesize

          464KB

          Download

        • memory/5044-152-0x0000000000710000-0x000000000077B000-memory.dmp

          Filesize

          428KB

          Download