Overview

overview

10

Static

static

8f53ac20b7...1b.exe

windows7-x64

10

8f53ac20b7...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    08-08-2022 08:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f53ac20b7777477c10ecbe163968c472457d3819ebafb20f232c5b1a448eb1b.exe

  • Size

    413KB

  • MD5

    127768b759970c351b9d9947c97a3c83

  • SHA1

    5c7cca03e0cd8af8a5bb2c70a48f917965ae9514

  • SHA256

    8f53ac20b7777477c10ecbe163968c472457d3819ebafb20f232c5b1a448eb1b

  • SHA512

    b324d7ff35c2ab81ccee687d32af9e9f30b2a75182a5cf9244061069ffcf3718df5c7b06c40819e772309f6aaba2cfe987e13c821c85471c6bb1a437fa06dffd

Score
10/10
redline1discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

1

C2

207.32.218.115:4162

Attributes
  • auth_value

    58f3be996f732af4b1f9624e1a783249

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f53ac20b7777477c10ecbe163968c472457d3819ebafb20f232c5b1a448eb1b.exe
    "C:\Users\Admin\AppData\Local\Temp\8f53ac20b7777477c10ecbe163968c472457d3819ebafb20f232c5b1a448eb1b.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Users\Admin\AppData\Local\Temp\tmpD0C.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpD0C.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 44
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpD0C.tmp.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmpD0C.tmp.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmpD0C.tmp.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmpD0C.tmp.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmpD0C.tmp.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmpD0C.tmp.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • memory/796-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1672-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1976-54-0x000000013FDC0000-0x000000013FE2C000-memory.dmp
    Filesize

    432KB

    Download
  • memory/1976-55-0x000000001AA90000-0x000000001AAB0000-memory.dmp
    Filesize

    128KB

    Download