Analysis
-
max time kernel
57s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
-
submitted
12-08-2022 01:03
General
-
Target
680F28FC36441A05EF4A4A19B64EE60C73C2FB9653D26B028D64E93ABA781B32.exe
-
Size
2.5MB
-
MD5
b93ca6dd6a570b6737c161a6c02e4c47
-
SHA1
d97c8f1fa60237963a61b2320aa43c01b8987634
-
SHA256
680f28fc36441a05ef4a4a19b64ee60c73c2fb9653d26b028d64e93aba781b32
-
SHA512
37728d2af479067109ae9177b1a4a19e9f40bead9ed112e5b52bf4618b97f8a620597ff4e66e464196076321513a069d709f62ea92ae179c23a18296ef8c88c6
Malware Config
Extracted
redline
185.215.113.23:15912
-
auth_value
ca11d6bb68385493a28fdddb02897eaf
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
-
YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
-
YTStealer payload 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\680F28FC36441A05EF4A4A19B64EE60C73C2FB9653D26B028D64E93ABA781B32.exe"C:\Users\Admin\AppData\Local\Temp\680F28FC36441A05EF4A4A19B64EE60C73C2FB9653D26B028D64E93ABA781B32.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\filename.exe"C:\Users\Admin\AppData\Local\Temp\filename.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD56452e14763ae943f8e556f65c09473eb
SHA1290981d61d73c696b475c8fefed323b569418bde
SHA256bc35c66b1be35a701e70388789b6446093fa71716801c8828c3f363eee1a183e
SHA51244ac3be1c66b734a908a88c79df310788dd5edd1e8bbaa577682459163fa347282a937d4d4d48710e1a1f08e89ca8d4674cbdbc51e015539dce4509645727796
-
Filesize
4.0MB
MD56452e14763ae943f8e556f65c09473eb
SHA1290981d61d73c696b475c8fefed323b569418bde
SHA256bc35c66b1be35a701e70388789b6446093fa71716801c8828c3f363eee1a183e
SHA51244ac3be1c66b734a908a88c79df310788dd5edd1e8bbaa577682459163fa347282a937d4d4d48710e1a1f08e89ca8d4674cbdbc51e015539dce4509645727796
-
Filesize
4.0MB
MD56452e14763ae943f8e556f65c09473eb
SHA1290981d61d73c696b475c8fefed323b569418bde
SHA256bc35c66b1be35a701e70388789b6446093fa71716801c8828c3f363eee1a183e
SHA51244ac3be1c66b734a908a88c79df310788dd5edd1e8bbaa577682459163fa347282a937d4d4d48710e1a1f08e89ca8d4674cbdbc51e015539dce4509645727796
-
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
14.1MB
-
Filesize
14.1MB
-
-
Filesize
14.1MB
-
Filesize
14.1MB