Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-07-2022 09:58
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Ursu.588815.10992.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Variant.Ursu.588815.10992.exe
Resource
win10v2004-20220414-en
General
-
Target
SecuriteInfo.com.Variant.Ursu.588815.10992.exe
-
Size
525KB
-
MD5
15f43d61bee241657b1ad10d6aa11e57
-
SHA1
83e96ecb233bd270b4f002c55aa28e92306650ef
-
SHA256
538e65ae9a73e15bd98c8fd0b5ecce5aaecdeb5e36a12a416a56a78c3cfbb3c8
-
SHA512
0e8a516e1439ec1a871d2afba0140a38f2ac8f4f13ad2283d334edf01537aa147023abf81957118b347c7634a05651fb26177e634ba8882d79c35754cfac9e5a
Malware Config
Extracted
redline
wizzy
107.182.128.57:48273
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 10 IoCs
Processes:
resource yara_rule behavioral1/memory/1224-59-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1224-60-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1224-61-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1224-62-0x000000000041933E-mapping.dmp family_redline behavioral1/memory/1224-64-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1224-68-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1472-83-0x000000000041933E-mapping.dmp family_redline behavioral1/memory/1472-90-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1472-88-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1932-102-0x000000000041933E-mapping.dmp family_redline -
Executes dropped EXE 2 IoCs
Processes:
chromer.exechromer.exepid process 988 chromer.exe 2032 chromer.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
SecuriteInfo.com.Variant.Ursu.588815.10992.exechromer.exechromer.exedescription pid process target process PID 1152 set thread context of 1224 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe vbc.exe PID 988 set thread context of 1472 988 chromer.exe vbc.exe PID 2032 set thread context of 1932 2032 chromer.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 584 schtasks.exe 1612 schtasks.exe 1964 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
vbc.exevbc.exepid process 1224 vbc.exe 1224 vbc.exe 1472 vbc.exe 1472 vbc.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
SecuriteInfo.com.Variant.Ursu.588815.10992.exevbc.exechromer.exevbc.exechromer.exedescription pid process Token: SeDebugPrivilege 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe Token: SeDebugPrivilege 1224 vbc.exe Token: SeDebugPrivilege 988 chromer.exe Token: SeDebugPrivilege 1472 vbc.exe Token: SeDebugPrivilege 2032 chromer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SecuriteInfo.com.Variant.Ursu.588815.10992.execmd.exetaskeng.exechromer.execmd.exechromer.exedescription pid process target process PID 1152 wrote to memory of 1224 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe vbc.exe PID 1152 wrote to memory of 1224 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe vbc.exe PID 1152 wrote to memory of 1224 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe vbc.exe PID 1152 wrote to memory of 1224 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe vbc.exe PID 1152 wrote to memory of 1224 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe vbc.exe PID 1152 wrote to memory of 1224 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe vbc.exe PID 1152 wrote to memory of 1224 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe vbc.exe PID 1152 wrote to memory of 1224 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe vbc.exe PID 1152 wrote to memory of 1224 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe vbc.exe PID 1152 wrote to memory of 952 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe cmd.exe PID 1152 wrote to memory of 952 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe cmd.exe PID 1152 wrote to memory of 952 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe cmd.exe PID 1152 wrote to memory of 952 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe cmd.exe PID 1152 wrote to memory of 1992 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe cmd.exe PID 1152 wrote to memory of 1992 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe cmd.exe PID 1152 wrote to memory of 1992 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe cmd.exe PID 1152 wrote to memory of 1992 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe cmd.exe PID 1152 wrote to memory of 1784 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe cmd.exe PID 1152 wrote to memory of 1784 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe cmd.exe PID 1152 wrote to memory of 1784 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe cmd.exe PID 1152 wrote to memory of 1784 1152 SecuriteInfo.com.Variant.Ursu.588815.10992.exe cmd.exe PID 1992 wrote to memory of 584 1992 cmd.exe schtasks.exe PID 1992 wrote to memory of 584 1992 cmd.exe schtasks.exe PID 1992 wrote to memory of 584 1992 cmd.exe schtasks.exe PID 1992 wrote to memory of 584 1992 cmd.exe schtasks.exe PID 1540 wrote to memory of 988 1540 taskeng.exe chromer.exe PID 1540 wrote to memory of 988 1540 taskeng.exe chromer.exe PID 1540 wrote to memory of 988 1540 taskeng.exe chromer.exe PID 1540 wrote to memory of 988 1540 taskeng.exe chromer.exe PID 988 wrote to memory of 1472 988 chromer.exe vbc.exe PID 988 wrote to memory of 1472 988 chromer.exe vbc.exe PID 988 wrote to memory of 1472 988 chromer.exe vbc.exe PID 988 wrote to memory of 1472 988 chromer.exe vbc.exe PID 988 wrote to memory of 1472 988 chromer.exe vbc.exe PID 988 wrote to memory of 1472 988 chromer.exe vbc.exe PID 988 wrote to memory of 1472 988 chromer.exe vbc.exe PID 988 wrote to memory of 1472 988 chromer.exe vbc.exe PID 988 wrote to memory of 1472 988 chromer.exe vbc.exe PID 988 wrote to memory of 1504 988 chromer.exe cmd.exe PID 988 wrote to memory of 1504 988 chromer.exe cmd.exe PID 988 wrote to memory of 1504 988 chromer.exe cmd.exe PID 988 wrote to memory of 1504 988 chromer.exe cmd.exe PID 988 wrote to memory of 552 988 chromer.exe cmd.exe PID 988 wrote to memory of 552 988 chromer.exe cmd.exe PID 988 wrote to memory of 552 988 chromer.exe cmd.exe PID 988 wrote to memory of 552 988 chromer.exe cmd.exe PID 988 wrote to memory of 996 988 chromer.exe cmd.exe PID 988 wrote to memory of 996 988 chromer.exe cmd.exe PID 988 wrote to memory of 996 988 chromer.exe cmd.exe PID 988 wrote to memory of 996 988 chromer.exe cmd.exe PID 552 wrote to memory of 1612 552 cmd.exe schtasks.exe PID 552 wrote to memory of 1612 552 cmd.exe schtasks.exe PID 552 wrote to memory of 1612 552 cmd.exe schtasks.exe PID 552 wrote to memory of 1612 552 cmd.exe schtasks.exe PID 1540 wrote to memory of 2032 1540 taskeng.exe chromer.exe PID 1540 wrote to memory of 2032 1540 taskeng.exe chromer.exe PID 1540 wrote to memory of 2032 1540 taskeng.exe chromer.exe PID 1540 wrote to memory of 2032 1540 taskeng.exe chromer.exe PID 2032 wrote to memory of 1932 2032 chromer.exe vbc.exe PID 2032 wrote to memory of 1932 2032 chromer.exe vbc.exe PID 2032 wrote to memory of 1932 2032 chromer.exe vbc.exe PID 2032 wrote to memory of 1932 2032 chromer.exe vbc.exe PID 2032 wrote to memory of 1932 2032 chromer.exe vbc.exe PID 2032 wrote to memory of 1932 2032 chromer.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.588815.10992.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.588815.10992.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\chromer"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.588815.10992.exe" "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe"2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {E0263847-690D-4DFC-8207-571A4F414999} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\chromer\chromer.exeC:\Users\Admin\AppData\Roaming\chromer\chromer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\chromer"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe" "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\chromer\chromer.exeC:\Users\Admin\AppData\Roaming\chromer\chromer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\chromer"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe" "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\chromer\chromer.exeFilesize
525KB
MD515f43d61bee241657b1ad10d6aa11e57
SHA183e96ecb233bd270b4f002c55aa28e92306650ef
SHA256538e65ae9a73e15bd98c8fd0b5ecce5aaecdeb5e36a12a416a56a78c3cfbb3c8
SHA5120e8a516e1439ec1a871d2afba0140a38f2ac8f4f13ad2283d334edf01537aa147023abf81957118b347c7634a05651fb26177e634ba8882d79c35754cfac9e5a
-
C:\Users\Admin\AppData\Roaming\chromer\chromer.exeFilesize
525KB
MD515f43d61bee241657b1ad10d6aa11e57
SHA183e96ecb233bd270b4f002c55aa28e92306650ef
SHA256538e65ae9a73e15bd98c8fd0b5ecce5aaecdeb5e36a12a416a56a78c3cfbb3c8
SHA5120e8a516e1439ec1a871d2afba0140a38f2ac8f4f13ad2283d334edf01537aa147023abf81957118b347c7634a05651fb26177e634ba8882d79c35754cfac9e5a
-
C:\Users\Admin\AppData\Roaming\chromer\chromer.exeFilesize
525KB
MD515f43d61bee241657b1ad10d6aa11e57
SHA183e96ecb233bd270b4f002c55aa28e92306650ef
SHA256538e65ae9a73e15bd98c8fd0b5ecce5aaecdeb5e36a12a416a56a78c3cfbb3c8
SHA5120e8a516e1439ec1a871d2afba0140a38f2ac8f4f13ad2283d334edf01537aa147023abf81957118b347c7634a05651fb26177e634ba8882d79c35754cfac9e5a
-
memory/552-85-0x0000000000000000-mapping.dmp
-
memory/568-103-0x0000000000000000-mapping.dmp
-
memory/584-70-0x0000000000000000-mapping.dmp
-
memory/952-65-0x0000000000000000-mapping.dmp
-
memory/988-75-0x0000000000E20000-0x0000000000EAA000-memory.dmpFilesize
552KB
-
memory/988-73-0x0000000000000000-mapping.dmp
-
memory/996-86-0x0000000000000000-mapping.dmp
-
memory/1152-55-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB
-
memory/1152-54-0x00000000009B0000-0x0000000000A3A000-memory.dmpFilesize
552KB
-
memory/1224-64-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1224-59-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1224-56-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1224-68-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1224-62-0x000000000041933E-mapping.dmp
-
memory/1224-61-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1224-57-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1224-60-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1292-106-0x0000000000000000-mapping.dmp
-
memory/1472-90-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1472-88-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1472-83-0x000000000041933E-mapping.dmp
-
memory/1504-84-0x0000000000000000-mapping.dmp
-
memory/1612-91-0x0000000000000000-mapping.dmp
-
memory/1784-69-0x0000000000000000-mapping.dmp
-
memory/1868-105-0x0000000000000000-mapping.dmp
-
memory/1932-102-0x000000000041933E-mapping.dmp
-
memory/1964-107-0x0000000000000000-mapping.dmp
-
memory/1992-67-0x0000000000000000-mapping.dmp
-
memory/2032-93-0x0000000000000000-mapping.dmp