Overview

overview

10

Static

static

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    182s
  • platform
    windows10-1703_x64
  • resource
    win10-20220718-en
  • resource tags

    arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12-08-2022 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    B496D857BBBEF7E54FB21211543F3773D0217531F45E5AE8F781A6A2105BD9CE.exe

  • Size

    2.5MB

  • MD5

    7e14b59e3e02f958d30d433d049ba87f

  • SHA1

    56654f6eef3439ee707338b67fdcfffa371dff6c

  • SHA256

    b496d857bbbef7e54fb21211543f3773d0217531f45e5ae8f781a6a2105bd9ce

  • SHA512

    f600e6ce13bc5f8f510ff3dfaf7bb565adce02132e411e0aafbfe7284b109a46b7eee6be339b8041fdc1d2f0e64e8280611053394cd0c1f3c9166c9c0141242a

Score
10/10
redlineytstealerinfostealerspywarestealerupx

Malware Config

Extracted

Family

redline

C2

185.215.113.83:60722

Attributes
  • auth_value

    d6602ca99e3633ec2776f94702ca62f2

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • YTStealer

    YTStealer is a malware designed to steal YouTube authentication cookies.

    stealerytstealer
  • YTStealer payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\B496D857BBBEF7E54FB21211543F3773D0217531F45E5AE8F781A6A2105BD9CE.exe
    "C:\Users\Admin\AppData\Local\Temp\B496D857BBBEF7E54FB21211543F3773D0217531F45E5AE8F781A6A2105BD9CE.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:198916
      • C:\Users\Admin\AppData\Local\Temp\Starter.exe
        "C:\Users\Admin\AppData\Local\Temp\Starter.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4464
      • C:\Users\Admin\AppData\Local\Temp\start.exe
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4876
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\start.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5076
          • C:\Windows\system32\choice.exe
            choice /C Y /N /D Y /T 0
            5⤵
              PID:5112

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Starter.exe
      Filesize

      18KB

      MD5

      3d41fe66e7592eb35c5ef99a83fce2a4

      SHA1

      5dc2984ceb1a169b5571267159c43f1b0e5d757d

      SHA256

      7c58039db066e640a338ac6180adcf0b45cbfb9adaa7ae3b279d4628159c4198

      SHA512

      9ac687f2278f19265ae361eee6bbbe0234fed0d9b16c9f4524af8c9e1e131a51fddfa0a19cbbda9feb0b5ccf22ffaad97d5c425f179cb7d920dba66ad7f4e285

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Starter.exe
      Filesize

      18KB

      MD5

      3d41fe66e7592eb35c5ef99a83fce2a4

      SHA1

      5dc2984ceb1a169b5571267159c43f1b0e5d757d

      SHA256

      7c58039db066e640a338ac6180adcf0b45cbfb9adaa7ae3b279d4628159c4198

      SHA512

      9ac687f2278f19265ae361eee6bbbe0234fed0d9b16c9f4524af8c9e1e131a51fddfa0a19cbbda9feb0b5ccf22ffaad97d5c425f179cb7d920dba66ad7f4e285

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\start.exe
      Filesize

      4.0MB

      MD5

      b09ec6718a34a70a182f3412b89f6777

      SHA1

      e730645db18339897aeddb4f21ce662911e03444

      SHA256

      21c2f78a2ba5891c4dbdc1b50283844c7720ecd3f1187fb9269015524cad2da2

      SHA512

      5d0f9eb9fcfe8a5d6c42db552d35411116ec0b405e747537a75fd50fb6e9f1d1fc1bf95c169c5ef7c2d217b7cc5d647a6ed36f130e0382a71f919c5e09ec7881

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\start.exe
      Filesize

      4.0MB

      MD5

      b09ec6718a34a70a182f3412b89f6777

      SHA1

      e730645db18339897aeddb4f21ce662911e03444

      SHA256

      21c2f78a2ba5891c4dbdc1b50283844c7720ecd3f1187fb9269015524cad2da2

      SHA512

      5d0f9eb9fcfe8a5d6c42db552d35411116ec0b405e747537a75fd50fb6e9f1d1fc1bf95c169c5ef7c2d217b7cc5d647a6ed36f130e0382a71f919c5e09ec7881

      Download Submit
    • memory/3708-117-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3708-119-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3708-118-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3708-120-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3708-121-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3708-122-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3708-123-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3708-124-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4464-609-0x0000000000000000-mapping.dmp
      Download
    • memory/4464-664-0x0000000005630000-0x000000000563A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4464-645-0x0000000000DE0000-0x0000000000DEA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4876-691-0x00000000013E0000-0x00000000021B9000-memory.dmp
      Filesize

      13.8MB

      Download
    • memory/4876-683-0x00000000013E0000-0x00000000021B9000-memory.dmp
      Filesize

      13.8MB

      Download
    • memory/4876-680-0x0000000000000000-mapping.dmp
      Download
    • memory/5076-689-0x0000000000000000-mapping.dmp
      Download
    • memory/5112-690-0x0000000000000000-mapping.dmp
      Download
    • memory/198916-160-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-172-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-140-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-141-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-142-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-144-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-145-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-146-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-147-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-143-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-148-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-149-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-150-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-151-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-152-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-153-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-154-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-155-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-156-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-157-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-158-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-159-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-137-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-161-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-162-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-164-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-165-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-166-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-167-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-168-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-169-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-170-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-171-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-138-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-173-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-174-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-175-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-176-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-177-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-178-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-179-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-180-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-181-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-182-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-183-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-184-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-186-0x0000000009760000-0x0000000009D66000-memory.dmp
      Filesize

      6.0MB

      Download
    • memory/198916-187-0x0000000006CD0000-0x0000000006CE2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/198916-188-0x0000000009260000-0x000000000936A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/198916-191-0x0000000009190000-0x00000000091CE000-memory.dmp
      Filesize

      248KB

      Download
    • memory/198916-193-0x00000000091D0000-0x000000000921B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/198916-203-0x000000000A270000-0x000000000A76E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/198916-206-0x0000000009520000-0x0000000009596000-memory.dmp
      Filesize

      472KB

      Download
    • memory/198916-207-0x0000000009640000-0x00000000096D2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/198916-135-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-134-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-133-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-132-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-131-0x0000000077C40000-0x0000000077DCE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/198916-130-0x000000000041B4EE-mapping.dmp
      Download
    • memory/198916-125-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/198916-211-0x0000000009600000-0x000000000961E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/198916-213-0x0000000009EE0000-0x0000000009F46000-memory.dmp
      Filesize

      408KB

      Download
    • memory/198916-472-0x000000000AC60000-0x000000000ACB0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/198916-481-0x000000000AE80000-0x000000000B042000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/198916-482-0x000000000BAB0000-0x000000000BFDC000-memory.dmp
      Filesize

      5.2MB

      Download