Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20220718-en -
resource tags
-
submitted
06-08-2022 05:20
General
-
Target
7fe6ab4b50235ba27649f8bd780c20954d98becb6ee904b1d0974d399127c2ca.exe
-
Size
314KB
-
MD5
6f7e704176330dde7679fc4efa683990
-
SHA1
c88c6256a7bfb0b70b24e9861cfdd773c25348e0
-
SHA256
7fe6ab4b50235ba27649f8bd780c20954d98becb6ee904b1d0974d399127c2ca
-
SHA512
65a5f673618d2dab94b086927781728196ce35c789e96b661dfd7d565950d62d94b37a063b677e10fc15635eae457eb07c3fc7ebb27b971eddfd1efe2c4240e9
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
AF2
C2
stcontact.top:80
Attributes
-
auth_value
4d729a2faecb406a0eb1d6fcf30432fa
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fe6ab4b50235ba27649f8bd780c20954d98becb6ee904b1d0974d399127c2ca.exe"C:\Users\Admin\AppData\Local\Temp\7fe6ab4b50235ba27649f8bd780c20954d98becb6ee904b1d0974d399127c2ca.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\CC1.exeC:\Users\Admin\AppData\Local\Temp\CC1.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CC1.exeFilesize
416KB
MD5ff451612548cfd7c3faba95922220963
SHA1aea7f869b8ce58cdeda596c98632ac16bcabc5ea
SHA256b0ad131b9eefb94f0ef96e7c7a1b3a2f5ad274d2ed699652253eaa5e6fec88ea
SHA5129dde4f0311fd06cd37bc7ff516bd614d98dccd3b4adca6fd42acc494175016a993398c5eddde18d95139c027588f5ddf660a31df63b3288682ee105c9067f751
-
C:\Users\Admin\AppData\Local\Temp\CC1.exeFilesize
416KB
MD5ff451612548cfd7c3faba95922220963
SHA1aea7f869b8ce58cdeda596c98632ac16bcabc5ea
SHA256b0ad131b9eefb94f0ef96e7c7a1b3a2f5ad274d2ed699652253eaa5e6fec88ea
SHA5129dde4f0311fd06cd37bc7ff516bd614d98dccd3b4adca6fd42acc494175016a993398c5eddde18d95139c027588f5ddf660a31df63b3288682ee105c9067f751
-
memory/2176-135-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-119-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-121-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-137-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-123-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-124-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-125-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-126-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-127-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-128-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-129-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-130-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-131-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-132-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-133-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-134-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-117-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-136-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-122-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-120-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-142-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-140-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-141-0x0000000000470000-0x000000000051E000-memory.dmpFilesize
696KB
-
memory/2176-143-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-144-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-145-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-146-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-147-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-149-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-148-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-150-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-151-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-152-0x00000000001E0000-0x00000000001E9000-memory.dmpFilesize
36KB
-
memory/2176-153-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2176-154-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2176-138-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2176-118-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-163-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-184-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-159-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-160-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-161-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-162-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-157-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-155-0x0000000000000000-mapping.dmp
-
memory/4572-165-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-166-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-167-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-168-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-169-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-171-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-170-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-172-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-173-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-174-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-175-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-176-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-177-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-178-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-179-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-180-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-181-0x00000000006DA000-0x0000000000704000-memory.dmpFilesize
168KB
-
memory/4572-182-0x0000000000490000-0x000000000053E000-memory.dmpFilesize
696KB
-
memory/4572-183-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-158-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-185-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-186-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-187-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-188-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-189-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-190-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/4572-191-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4572-201-0x0000000002250000-0x0000000002280000-memory.dmpFilesize
192KB
-
memory/4572-206-0x0000000004C70000-0x000000000516E000-memory.dmpFilesize
5.0MB
-
memory/4572-208-0x0000000002410000-0x0000000002440000-memory.dmpFilesize
192KB
-
memory/4572-219-0x0000000005170000-0x0000000005776000-memory.dmpFilesize
6.0MB
-
memory/4572-220-0x00000000025B0000-0x00000000025C2000-memory.dmpFilesize
72KB
-
memory/4572-221-0x0000000005780000-0x000000000588A000-memory.dmpFilesize
1.0MB
-
memory/4572-224-0x00000000058A0000-0x00000000058DE000-memory.dmpFilesize
248KB
-
memory/4572-232-0x00000000058F0000-0x000000000593B000-memory.dmpFilesize
300KB
-
memory/4572-256-0x0000000006640000-0x00000000066B6000-memory.dmpFilesize
472KB
-
memory/4572-257-0x0000000006700000-0x0000000006792000-memory.dmpFilesize
584KB
-
memory/4572-260-0x0000000006920000-0x000000000693E000-memory.dmpFilesize
120KB
-
memory/4572-261-0x00000000069A0000-0x0000000006A06000-memory.dmpFilesize
408KB
-
memory/4572-269-0x0000000006F60000-0x0000000007122000-memory.dmpFilesize
1.8MB
-
memory/4572-270-0x0000000007130000-0x000000000765C000-memory.dmpFilesize
5.2MB
-
memory/4572-272-0x00000000006DA000-0x0000000000704000-memory.dmpFilesize
168KB
-
memory/4572-274-0x0000000000490000-0x000000000053E000-memory.dmpFilesize
696KB
-
memory/4572-275-0x00000000079C0000-0x0000000007A10000-memory.dmpFilesize
320KB
-
memory/4572-280-0x00000000006DA000-0x0000000000704000-memory.dmpFilesize
168KB
-
memory/4572-281-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB