Overview

overview

10

Static

static

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    63s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2022 04:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe

  • Size

    4.7MB

  • MD5

    f4ee53801ab804bfdc50d03daaf50595

  • SHA1

    c9748bca6c56c59280052b89a2d2a69ef348fdfa

  • SHA256

    f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b

  • SHA512

    72ee2ccb2e520f2cd9a54217ba85c1228529cb2ae7e103e0f3892a5910b9b29d54d7b427029bfc624b091b391e88eac906eb9305873972ba89ea1d507ca3ef98

Score
10/10
redlineytstealers32infostealerspywarestealerupx

Malware Config

Extracted

Family

redline

Botnet

s32

C2

185.106.92.56:48079

Attributes
  • auth_value

    9ad5135eac94b69fb550f1f6a2c7e142

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • YTStealer

    YTStealer is a malware designed to steal YouTube authentication cookies.

    stealerytstealer
  • YTStealer payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe
    "C:\Users\Admin\AppData\Local\Temp\f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1772
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Users\Admin\AppData\Local\Temp\333.exe
        "C:\Users\Admin\AppData\Local\Temp\333.exe"
        3⤵
        • Executes dropped EXE
        PID:1812

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\333.exe
    Filesize

    4.0MB

    MD5

    54759c68e5daf4d0195ccc4bd929b6ce

    SHA1

    4dd9a7932308baec2b2d9d5e87aca88a488ac74e

    SHA256

    7819f51ad0cc844210b83cc218fe2c750c87cfc6f0c21921a3ceebc62b76b060

    SHA512

    1ca17ba07d44b26e25e7594a33510d772079e754fa8c06cde97cc5ede4d5a40e2e5ba0605ea1b075ac3e4e3c167075dacbd86094d5e5861195d1376352572d12

    Download Submit

  • \Users\Admin\AppData\Local\Temp\333.exe
    Filesize

    4.0MB

    MD5

    54759c68e5daf4d0195ccc4bd929b6ce

    SHA1

    4dd9a7932308baec2b2d9d5e87aca88a488ac74e

    SHA256

    7819f51ad0cc844210b83cc218fe2c750c87cfc6f0c21921a3ceebc62b76b060

    SHA512

    1ca17ba07d44b26e25e7594a33510d772079e754fa8c06cde97cc5ede4d5a40e2e5ba0605ea1b075ac3e4e3c167075dacbd86094d5e5861195d1376352572d12

    Download Submit

  • \Users\Admin\AppData\Local\Temp\333.exe
    Filesize

    4.0MB

    MD5

    54759c68e5daf4d0195ccc4bd929b6ce

    SHA1

    4dd9a7932308baec2b2d9d5e87aca88a488ac74e

    SHA256

    7819f51ad0cc844210b83cc218fe2c750c87cfc6f0c21921a3ceebc62b76b060

    SHA512

    1ca17ba07d44b26e25e7594a33510d772079e754fa8c06cde97cc5ede4d5a40e2e5ba0605ea1b075ac3e4e3c167075dacbd86094d5e5861195d1376352572d12

    Download Submit

  • memory/1176-55-0x00000000759E1000-0x00000000759E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1176-56-0x00000000055B0000-0x0000000005698000-memory.dmp

    Filesize

    928KB

    Download

  • memory/1176-57-0x0000000004DD0000-0x0000000004E1A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1176-58-0x00000000057C0000-0x0000000005852000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1176-54-0x0000000001090000-0x0000000001554000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1772-59-0x0000000000000000-mapping.dmp

    Download

  • memory/1772-61-0x000000006EF60000-0x000000006F50B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1772-62-0x000000006EF60000-0x000000006F50B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1772-63-0x000000006EF60000-0x000000006F50B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1788-68-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1788-69-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1788-70-0x000000000041ADBA-mapping.dmp

    Download

  • memory/1788-74-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1788-72-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1788-64-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1788-65-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1788-67-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1812-78-0x0000000000000000-mapping.dmp

    Download

  • memory/1812-80-0x0000000001020000-0x0000000001E31000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/1812-81-0x0000000001020000-0x0000000001E31000-memory.dmp

    Filesize

    14.1MB

    Download