Overview

overview

10

Static

static

A3E0207620...1D.exe

windows7_x64

10

A3E0207620...1D.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    06-07-2022 16:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe

  • Size

    530KB

  • MD5

    4bf2eedfff6695b5f3fea01022c77b46

  • SHA1

    6e08f77c366deb75ccc05c7e095132ca967d2dca

  • SHA256

    a3e02076203fb0a1c203265a9e9592f11fdc0d0e77a1d4591ece152f913092fa

  • SHA512

    d868367ef491593472eefe5009d5543b71f342406d4cc3a45c24e978a8c2112fe1da7a283918847dd7da4dfd5189d2559a9eebb6c7621ce9c4946513d3037c49

Score
10/10
redlinechoidiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

Choi

C2

192.99.175.89:49887

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
    "C:\Users\Admin\AppData\Local\Temp\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bIsxcujH.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3928
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bIsxcujH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCB.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2024
    • C:\Users\Admin\AppData\Local\Temp\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
      "C:\Users\Admin\AppData\Local\Temp\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe.log
    Filesize

    1KB

    MD5

    e08f822522c617a40840c62e4b0fb45e

    SHA1

    ae516dca4da5234be6676d3f234c19ec55725be7

    SHA256

    bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

    SHA512

    894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpDCB.tmp
    Filesize

    1KB

    MD5

    37805c1e3c06b1284417892ff77dc362

    SHA1

    945451e62e84948f881ca8226db5f732186c1c1e

    SHA256

    a4b1459fe0a02ed5fe2d3536482d2a1fc12fee080998fd9a350ea0d6216fa291

    SHA512

    10a37749c8e342042fb54c9716cd6ba1e680de30fa6b4124c51e52cfd39b12c3f3d33b20db3fb26658eb39a5ba777f236e74bbcab2360a8716d490f7ad601769

    Download Submit
  • memory/792-146-0x0000000005A70000-0x0000000006088000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/792-162-0x0000000007020000-0x000000000754C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/792-150-0x0000000005630000-0x000000000573A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/792-147-0x0000000005320000-0x0000000005332000-memory.dmp
    Filesize

    72KB

    Download
  • memory/792-164-0x0000000006C50000-0x0000000006C6E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/792-161-0x0000000006920000-0x0000000006AE2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/792-148-0x0000000005380000-0x00000000053BC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/792-163-0x0000000006B70000-0x0000000006BE6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/792-141-0x0000000000000000-mapping.dmp
    Download
  • memory/792-142-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2024-137-0x0000000000000000-mapping.dmp
    Download
  • memory/2512-134-0x0000000007B20000-0x0000000007BBC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2512-130-0x0000000000C60000-0x0000000000CEA000-memory.dmp
    Filesize

    552KB

    Download
  • memory/2512-135-0x0000000009240000-0x00000000092A6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2512-133-0x0000000005710000-0x000000000571A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2512-132-0x0000000005550000-0x00000000055E2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2512-131-0x0000000005A00000-0x0000000005FA4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3928-138-0x00000000028A0000-0x00000000028D6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/3928-149-0x00000000061A0000-0x00000000061BE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3928-151-0x0000000007180000-0x00000000071B2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/3928-152-0x0000000070EC0000-0x0000000070F0C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3928-153-0x0000000006770000-0x000000000678E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3928-154-0x0000000007B00000-0x000000000817A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/3928-155-0x00000000074B0000-0x00000000074CA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3928-156-0x0000000007520000-0x000000000752A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3928-157-0x0000000007730000-0x00000000077C6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/3928-158-0x00000000076E0000-0x00000000076EE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3928-159-0x00000000077F0000-0x000000000780A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3928-160-0x00000000077D0000-0x00000000077D8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3928-144-0x0000000005180000-0x00000000051E6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3928-143-0x00000000050E0000-0x0000000005102000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3928-140-0x0000000005310000-0x0000000005938000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/3928-136-0x0000000000000000-mapping.dmp
    Download