Analysis
-
max time kernel
127s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
10-08-2022 19:08
General
-
Target
e25ce9c2b5d24744369835f590f91d1a.exe
-
Size
3.9MB
-
MD5
e25ce9c2b5d24744369835f590f91d1a
-
SHA1
73b7c7c2cd35864ed4fe3969f8f8dc4242900ac1
-
SHA256
6ace84c8a5b97075e435df18a59c7dcaa90091c8b3140deedf5139329d1890df
-
SHA512
7c949da1f0cbdd49198f8ccb07b67a4222f1f3c9c9451bd7e871bb7561f5cd77a6f45006a3324a511cde7c216622c1811244ae03795e2106536e613325adee73
Malware Config
Extracted
redline
185.215.113.23:15912
-
auth_value
2e05da16ff667c8d53d0673cd5b4e948
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
-
YTStealer payload 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e25ce9c2b5d24744369835f590f91d1a.exe"C:\Users\Admin\AppData\Local\Temp\e25ce9c2b5d24744369835f590f91d1a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\filename.exe"C:\Users\Admin\AppData\Local\Temp\filename.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD56452e14763ae943f8e556f65c09473eb
SHA1290981d61d73c696b475c8fefed323b569418bde
SHA256bc35c66b1be35a701e70388789b6446093fa71716801c8828c3f363eee1a183e
SHA51244ac3be1c66b734a908a88c79df310788dd5edd1e8bbaa577682459163fa347282a937d4d4d48710e1a1f08e89ca8d4674cbdbc51e015539dce4509645727796
-
Filesize
4.0MB
MD56452e14763ae943f8e556f65c09473eb
SHA1290981d61d73c696b475c8fefed323b569418bde
SHA256bc35c66b1be35a701e70388789b6446093fa71716801c8828c3f363eee1a183e
SHA51244ac3be1c66b734a908a88c79df310788dd5edd1e8bbaa577682459163fa347282a937d4d4d48710e1a1f08e89ca8d4674cbdbc51e015539dce4509645727796
-
-
Filesize
14.1MB
-
Filesize
14.1MB
-
Filesize
14.1MB
-
Filesize
6.7MB
-
Filesize
10.8MB
-
Filesize
136KB
-
-
Filesize
1.0MB
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
120KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
128KB
-