Overview

overview

10

Static

static

8610040371...b7.exe

windows7-x64

10

8610040371...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2022 11:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe

  • Size

    2.5MB

  • MD5

    d5646c90a8af09a6e669a8e471005bbd

  • SHA1

    526b70c4b3762c8983e8bb19b57ada1f75c52b19

  • SHA256

    86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7

  • SHA512

    4d948f4923877f29fe64991c90ea3a6c08473bc61cb6573151039e12a52f7a70d4e721c3888985df6d90cdeeb093cc36074d68597448d00e37f9f011af07645e

Score
10/10
colibriredline@ternetyfplbuild1infostealerloaderspyware

Malware Config

Extracted

Family

redline

Botnet

@ternetyFPL

C2

62.204.41.144:14096

Attributes
  • auth_value

    449f565b5fc3449e1b02eaa2fe5a56dd

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe
    "C:\Users\Admin\AppData\Local\Temp\86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3356
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:201264
      • C:\Users\Admin\AppData\Local\Temp\iog.exe
        "C:\Users\Admin\AppData\Local\Temp\iog.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:201472
        • C:\ProgramData\conhost.exe
          "C:\ProgramData\conhost.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:201500
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
            5⤵
            • Creates scheduled task(s)
            PID:201628
        • C:\ProgramData\svchost.exe
          "C:\ProgramData\svchost.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:201516
          • C:\Windows\SysWOW64\schtasks.exe
            /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "powershell.exe -windowstyle hidden"
            5⤵
            • Creates scheduled task(s)
            PID:201712
          • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
            "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            PID:201280
  • C:\Users\Admin\AppData\Local\cache\MoUSO.exe
    C:\Users\Admin\AppData\Local\cache\MoUSO.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:1828
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -windowstyle hidden
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4168
    • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
      "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe" Name host ValueOnly True
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\conhost.exe
    Filesize

    123KB

    MD5

    444b170a7bdc16d7fd17152db15903cd

    SHA1

    b8be4f37da9f4c9c347f2df6917288706790d99c

    SHA256

    9e4e0263e1c40a5604d9332437d93901d1e6fa8d59c15a1185c2a9490ce9ec3d

    SHA512

    9914a66c7cb4b7661fd532354a2d72e3069bc811997a55ef447ae3e1e3b029e6f4f34a74bc1f97400b2f52b49bef48d1c8ef588c76974c430b493d298d8ada0f

    Download Submit
  • C:\ProgramData\conhost.exe
    Filesize

    123KB

    MD5

    444b170a7bdc16d7fd17152db15903cd

    SHA1

    b8be4f37da9f4c9c347f2df6917288706790d99c

    SHA256

    9e4e0263e1c40a5604d9332437d93901d1e6fa8d59c15a1185c2a9490ce9ec3d

    SHA512

    9914a66c7cb4b7661fd532354a2d72e3069bc811997a55ef447ae3e1e3b029e6f4f34a74bc1f97400b2f52b49bef48d1c8ef588c76974c430b493d298d8ada0f

    Download Submit
  • C:\ProgramData\svchost.exe
    Filesize

    140KB

    MD5

    ad9c439c2a8bcae64c43f328ff11717c

    SHA1

    a1e372fac21ee4d5ead0c803211cf23eeb9c597d

    SHA256

    b481153e0b740d62b33602dd7f8e395b24fe2ca6d14c0b4906dcc7821728fd06

    SHA512

    4523d20bd73df8a145854f5f907140dca981643edc6aadbe6c932c2723cf123a3d2dd623dfefac760b7a2454c3f7e46b2d5388a33e638735948212f1e6c33938

    Download Submit
  • C:\ProgramData\svchost.exe
    Filesize

    140KB

    MD5

    ad9c439c2a8bcae64c43f328ff11717c

    SHA1

    a1e372fac21ee4d5ead0c803211cf23eeb9c597d

    SHA256

    b481153e0b740d62b33602dd7f8e395b24fe2ca6d14c0b4906dcc7821728fd06

    SHA512

    4523d20bd73df8a145854f5f907140dca981643edc6aadbe6c932c2723cf123a3d2dd623dfefac760b7a2454c3f7e46b2d5388a33e638735948212f1e6c33938

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
    Filesize

    140KB

    MD5

    ad9c439c2a8bcae64c43f328ff11717c

    SHA1

    a1e372fac21ee4d5ead0c803211cf23eeb9c597d

    SHA256

    b481153e0b740d62b33602dd7f8e395b24fe2ca6d14c0b4906dcc7821728fd06

    SHA512

    4523d20bd73df8a145854f5f907140dca981643edc6aadbe6c932c2723cf123a3d2dd623dfefac760b7a2454c3f7e46b2d5388a33e638735948212f1e6c33938

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
    Filesize

    140KB

    MD5

    ad9c439c2a8bcae64c43f328ff11717c

    SHA1

    a1e372fac21ee4d5ead0c803211cf23eeb9c597d

    SHA256

    b481153e0b740d62b33602dd7f8e395b24fe2ca6d14c0b4906dcc7821728fd06

    SHA512

    4523d20bd73df8a145854f5f907140dca981643edc6aadbe6c932c2723cf123a3d2dd623dfefac760b7a2454c3f7e46b2d5388a33e638735948212f1e6c33938

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
    Filesize

    140KB

    MD5

    ad9c439c2a8bcae64c43f328ff11717c

    SHA1

    a1e372fac21ee4d5ead0c803211cf23eeb9c597d

    SHA256

    b481153e0b740d62b33602dd7f8e395b24fe2ca6d14c0b4906dcc7821728fd06

    SHA512

    4523d20bd73df8a145854f5f907140dca981643edc6aadbe6c932c2723cf123a3d2dd623dfefac760b7a2454c3f7e46b2d5388a33e638735948212f1e6c33938

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\iog.exe
    Filesize

    280KB

    MD5

    6ce5c00d5fce03683fcb3ea3526a0338

    SHA1

    bf9a9f1c5766f0b32282fb2146854b9c2512ae40

    SHA256

    75bf5eb75f3044110bf3b14f358db9f42ad0aa677bfa78fed045aa52c01c07fe

    SHA512

    7b0fbfc7fe8c264a83709e3697239f357ce1ae5356de3fce1b51c61d62812d76b2f63adff5f0f25deeab1bb8b1e847f8bf0ea4d95659680984326ad8824df501

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\iog.exe
    Filesize

    280KB

    MD5

    6ce5c00d5fce03683fcb3ea3526a0338

    SHA1

    bf9a9f1c5766f0b32282fb2146854b9c2512ae40

    SHA256

    75bf5eb75f3044110bf3b14f358db9f42ad0aa677bfa78fed045aa52c01c07fe

    SHA512

    7b0fbfc7fe8c264a83709e3697239f357ce1ae5356de3fce1b51c61d62812d76b2f63adff5f0f25deeab1bb8b1e847f8bf0ea4d95659680984326ad8824df501

    Download Submit
  • C:\Users\Admin\AppData\Local\cache\MoUSO.exe
    Filesize

    123KB

    MD5

    444b170a7bdc16d7fd17152db15903cd

    SHA1

    b8be4f37da9f4c9c347f2df6917288706790d99c

    SHA256

    9e4e0263e1c40a5604d9332437d93901d1e6fa8d59c15a1185c2a9490ce9ec3d

    SHA512

    9914a66c7cb4b7661fd532354a2d72e3069bc811997a55ef447ae3e1e3b029e6f4f34a74bc1f97400b2f52b49bef48d1c8ef588c76974c430b493d298d8ada0f

    Download Submit
  • C:\Users\Admin\AppData\Local\cache\MoUSO.exe
    Filesize

    123KB

    MD5

    444b170a7bdc16d7fd17152db15903cd

    SHA1

    b8be4f37da9f4c9c347f2df6917288706790d99c

    SHA256

    9e4e0263e1c40a5604d9332437d93901d1e6fa8d59c15a1185c2a9490ce9ec3d

    SHA512

    9914a66c7cb4b7661fd532354a2d72e3069bc811997a55ef447ae3e1e3b029e6f4f34a74bc1f97400b2f52b49bef48d1c8ef588c76974c430b493d298d8ada0f

    Download Submit
  • memory/1208-176-0x0000000000000000-mapping.dmp
    Download
  • memory/1208-179-0x000000007F7A0000-0x000000007F7A7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1208-178-0x000000007F7B0000-0x000000007F7CC000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1208-180-0x000000007F7B0000-0x000000007F7CC000-memory.dmp
    Filesize

    112KB

    Download
  • memory/4168-172-0x000001AB4EA20000-0x000001AB4EA42000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4168-173-0x00007FFEAD300000-0x00007FFEADDC1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4168-174-0x000001AB4EBA0000-0x000001AB4EBE4000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4168-175-0x000001AB4EFD0000-0x000001AB4F046000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4168-181-0x00007FFEAD300000-0x00007FFEADDC1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/201264-146-0x00000000071B0000-0x0000000007372000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/201264-130-0x0000000000000000-mapping.dmp
    Download
  • memory/201264-131-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/201264-136-0x0000000005BA0000-0x00000000061B8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/201264-137-0x00000000055F0000-0x0000000005602000-memory.dmp
    Filesize

    72KB

    Download
  • memory/201264-138-0x0000000005720000-0x000000000582A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/201264-139-0x0000000005650000-0x000000000568C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/201264-140-0x0000000005990000-0x0000000005A06000-memory.dmp
    Filesize

    472KB

    Download
  • memory/201264-141-0x0000000005AB0000-0x0000000005B42000-memory.dmp
    Filesize

    584KB

    Download
  • memory/201264-142-0x0000000006770000-0x0000000006D14000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/201264-147-0x00000000078B0000-0x0000000007DDC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/201264-143-0x0000000005B70000-0x0000000005B8E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/201264-144-0x0000000006490000-0x00000000064F6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/201264-145-0x0000000006F90000-0x0000000006FE0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/201280-167-0x000000007EEC0000-0x000000007EEDC000-memory.dmp
    Filesize

    112KB

    Download
  • memory/201280-162-0x0000000000000000-mapping.dmp
    Download
  • memory/201280-168-0x000000007EEB0000-0x000000007EEB7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/201280-169-0x000000007EEB0000-0x000000007EEB7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/201472-157-0x0000000000540000-0x0000000000588000-memory.dmp
    Filesize

    288KB

    Download
  • memory/201472-148-0x0000000000000000-mapping.dmp
    Download
  • memory/201500-151-0x0000000000000000-mapping.dmp
    Download
  • memory/201516-164-0x000000007FE30000-0x000000007FE4C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/201516-159-0x000000007FE20000-0x000000007FE27000-memory.dmp
    Filesize

    28KB

    Download
  • memory/201516-158-0x000000007FE30000-0x000000007FE4C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/201516-154-0x0000000000000000-mapping.dmp
    Download
  • memory/201516-166-0x000000007FE20000-0x000000007FE27000-memory.dmp
    Filesize

    28KB

    Download
  • memory/201628-160-0x0000000000000000-mapping.dmp
    Download
  • memory/201712-161-0x0000000000000000-mapping.dmp
    Download