Overview

overview

10

Static

static

URLScan

urlscan

1

http://141.98.6.236/...

windows7-x64

10

http://141.98.6.236/...

windows10-2004-x64

8

Analysis

  • max time kernel
    97s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    07-08-2022 23:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://141.98.6.236/1337/ZvfejoxpnTORRENTOLD-1.exe

Score
10/10
redlinetorrentolddiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

TORRENTOLD

C2

amrican-sport-live-stream.cc:4581

Attributes
  • auth_value

    74e1b58bf920611f04c0e3919954fe05

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://141.98.6.236/1337/ZvfejoxpnTORRENTOLD-1.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1800 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1776
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JF7FDU3Y\ZvfejoxpnTORRENTOLD-1.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JF7FDU3Y\ZvfejoxpnTORRENTOLD-1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JF7FDU3Y\ZvfejoxpnTORRENTOLD-1.exe
    Filesize

    784KB

    MD5

    43089a1a50b1981a4dba7959e31e62f1

    SHA1

    c8db527eba66719e365672a17bd1eddc2085de9a

    SHA256

    4fb57da6d703e8bebfdd51b7f579fb36127eee300880eeb5ca2be3f00cce154e

    SHA512

    2777758eff7684d51ca8bc060f0652c14ef6999375061262acb5a741a2c927cfefe46bbbe733530777bd1d08893cce8e7f0631e157ff2069f6c75c5f3624b0fa

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JF7FDU3Y\ZvfejoxpnTORRENTOLD-1.exe.6l80n1o.partial
    Filesize

    784KB

    MD5

    43089a1a50b1981a4dba7959e31e62f1

    SHA1

    c8db527eba66719e365672a17bd1eddc2085de9a

    SHA256

    4fb57da6d703e8bebfdd51b7f579fb36127eee300880eeb5ca2be3f00cce154e

    SHA512

    2777758eff7684d51ca8bc060f0652c14ef6999375061262acb5a741a2c927cfefe46bbbe733530777bd1d08893cce8e7f0631e157ff2069f6c75c5f3624b0fa

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WB8IGSS8.txt
    Filesize

    599B

    MD5

    9c3d607b045691c061928a03e57a2214

    SHA1

    d7126a1a736c303d6ece322ac824ae729169d843

    SHA256

    ff4eec3a46bf45f826c5a86fb1f37bad7017019ef907a6f8b27e570dbdc1f79c

    SHA512

    c0e9bf002b0095128f90d01ac1b1a7982f001635c4e98168e2dace7b2a80d88f81b3c8d614c369afb8fd032e0c30d9b0bfb343d8ec8287a55159d36094c2059c

    Download Submit
  • memory/1260-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1260-57-0x00000000013B0000-0x000000000147A000-memory.dmp
    Filesize

    808KB

    Download
  • memory/1260-58-0x00000000003B0000-0x0000000000420000-memory.dmp
    Filesize

    448KB

    Download
  • memory/1260-59-0x0000000000B70000-0x0000000000C02000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1840-63-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1840-61-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1840-64-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1840-65-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1840-66-0x000000000043E76E-mapping.dmp
    Download
  • memory/1840-68-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1840-70-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1840-71-0x0000000076291000-0x0000000076293000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1840-72-0x00000000003F0000-0x00000000003F6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1840-60-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download