Overview

overview

10

Static

static

d4216a0742...90.exe

windows7-x64

10

d4216a0742...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2022 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4216a074263ea8b5346c98fce937390.exe

  • Size

    1.1MB

  • MD5

    d4216a074263ea8b5346c98fce937390

  • SHA1

    dd53f20dfa19976ec6a0e0ed9519c96e0384f893

  • SHA256

    03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b

  • SHA512

    2e8c8ffc9df499f7405d5dbe5eacad37b1eb8e5f68c9f3e15bb0d87a15fbeca691e2708da5ce59eb3e744b70231a7955eb2f8e75c8b09e3d65c628e37a9bc17d

Score
10/10
redline5nam3discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

nam3

C2

103.89.90.61:34589

Attributes
  • auth_value

    64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

5

C2

176.113.115.146:9582

Attributes
  • auth_value

    d38b30c1ccd6c1e5088d9e5bd9e51b0f

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 8 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4216a074263ea8b5346c98fce937390.exe
    "C:\Users\Admin\AppData\Local\Temp\d4216a074263ea8b5346c98fce937390.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RyjC4
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        PID:984
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1A4aK4
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:824 CREDAT:275457 /prefetch:2
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:2032
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RLtX4
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1304
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RCgX4
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:608
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:608 CREDAT:275457 /prefetch:2
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:332
    • C:\Program Files (x86)\Company\NewProduct\F0geI.exe
      "C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
      2⤵
      • Executes dropped EXE
      PID:820
    • C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
      "C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
      2⤵
      • Executes dropped EXE
      PID:1760
    • C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
      "C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1492
    • C:\Program Files (x86)\Company\NewProduct\real.exe
      "C:\Program Files (x86)\Company\NewProduct\real.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1712
    • C:\Program Files (x86)\Company\NewProduct\safert44.exe
      "C:\Program Files (x86)\Company\NewProduct\safert44.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1688
    • C:\Program Files (x86)\Company\NewProduct\me.exe
      "C:\Program Files (x86)\Company\NewProduct\me.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Company\NewProduct\F0geI.exe
    Filesize

    339KB

    MD5

    501e0f6fa90340e3d7ff26f276cd582e

    SHA1

    1bce4a6153f71719e786f8f612fbfcd23d3e130a

    SHA256

    f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

    SHA512

    dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

    Download Submit
  • C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
    Filesize

    1.4MB

    MD5

    ec59f38fa35c0cf3babd976f5f23c74e

    SHA1

    2f7600ac9df0869fae48d99afe9569d83efafc8b

    SHA256

    6d0d294e321014a3129d3533ce143f08b0a3639cc50ddaf236396b82a595925e

    SHA512

    d4d2c4078dd40bc57d421750ac26f5467f082f6b4fae422d574ca406b928b6bb1e4f7cbb80a80b11f3908134028c6b7bb3b67c17e02d1899a6cda6e0312c3574

    Download Submit
  • C:\Program Files (x86)\Company\NewProduct\me.exe
    Filesize

    281KB

    MD5

    0856c11e41b1bf5e5aafb44fa4eaae4e

    SHA1

    3bb9039bbe89b2058c7c7d0537d7ddaa8f5d2826

    SHA256

    0721243b2d897a8734838ac4fbd402dab5a247a973f08fc82703a565c516911f

    SHA512

    f5605d5d0ef514dd6f571c30b79608a6ddbb8fb025c2750448a758295a0f3fc47a1b973aab0e061f8361b696c920ebb54073ef109cfd14cd08cdb98b9a1b7726

    Download Submit
  • C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
    Filesize

    107KB

    MD5

    bbd8ea73b7626e0ca5b91d355df39b7f

    SHA1

    66e298653beb7f652eb44922010910ced6242879

    SHA256

    1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

    SHA512

    625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

    Download Submit
  • C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
    Filesize

    107KB

    MD5

    bbd8ea73b7626e0ca5b91d355df39b7f

    SHA1

    66e298653beb7f652eb44922010910ced6242879

    SHA256

    1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

    SHA512

    625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

    Download Submit
  • C:\Program Files (x86)\Company\NewProduct\real.exe
    Filesize

    282KB

    MD5

    474861050e6a7b65bc4521096cb05454

    SHA1

    4e1aabe27598171a89c219aab860b325a4358b22

    SHA256

    ccd962957659555af7c607deb20a4ec34a1578af037d5310ffd07bd092f0ebc7

    SHA512

    42afff00dd616fc73d1c338184149ddb66376e808cd2da39a94357c8d296a245ab0f1e474aac1789d613efef3c1867e0c3a2e41c07ac21bcc07e00ea08309a79

    Download Submit
  • C:\Program Files (x86)\Company\NewProduct\safert44.exe
    Filesize

    246KB

    MD5

    414ffd7094c0f50662ffa508ca43b7d0

    SHA1

    6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

    SHA256

    d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

    SHA512

    c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

    Download Submit
  • C:\Program Files (x86)\Company\NewProduct\safert44.exe
    Filesize

    246KB

    MD5

    414ffd7094c0f50662ffa508ca43b7d0

    SHA1

    6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

    SHA256

    d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

    SHA512

    c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{98B9DAA1-1CC7-11ED-A6E1-52E8C5FCC7C7}.dat
    Filesize

    3KB

    MD5

    e8667afb3e03094855f99c0e0424a0d7

    SHA1

    2ef7157d895a82b61d2f37232a9c00622c195608

    SHA256

    ba48092074b5ea1dd70ace0e49943dcb8da8e16d59badbea94a03b7688152bc0

    SHA512

    2e0e7e4cdaa9222999c33e995eb46c11fd47b674350fdcb765bc967f434683e52dbfca8b1358c0e9358ba4ecc4c86ec9aceb92bbc59d1357a24377dd5e03a03f

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{98BAC501-1CC7-11ED-A6E1-52E8C5FCC7C7}.dat
    Filesize

    3KB

    MD5

    3b9e19c8caab52683f1e1bdd8f875fc8

    SHA1

    6ae582cef46b4390dc83a05854516491e56b00bf

    SHA256

    9ee2307350e56872e919ea47767e23968a3c7a3262f11f47ef8b4cf0599fad0e

    SHA512

    87f0759d20d5b90be067c0c46fbffd30f853b57eebf43882c731aeced0e697da6ca422605a3edb8058957c8713f9b646c9186acbdaa0c1caeaa08d22c0dd89be

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{98BAEC11-1CC7-11ED-A6E1-52E8C5FCC7C7}.dat
    Filesize

    3KB

    MD5

    51de651789b8239d999cc3362f233bfa

    SHA1

    f14998d1b6b6aa01a46f84365765b6b61571459d

    SHA256

    5fada1256844c15c494d51e59312f42970ae4dab2896111f887c44b030386e9d

    SHA512

    786f9800a82bc7f8c6ccd22390bd7008330f384235d2ce3d99bce875bd45a21a64f27be9564481ce556ace9241912920a01417446e8c215f3bea1034ed590d89

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{98C35081-1CC7-11ED-A6E1-52E8C5FCC7C7}.dat
    Filesize

    5KB

    MD5

    1c1ff729e47b4c6cade2c479ca3a0ce5

    SHA1

    cb9f6e63fcc20d7cc75d185a5d05eaf463f0d2ac

    SHA256

    212a22c4af2ba82dd0ce6dd83e86c0fd9541c164bb068f8f6a6dea7856babab7

    SHA512

    9960df67d4861665e348560dcfa647d23f9eaf6ad2d501cc12e734dc40b445d1c655fdc243ea08ed3b5512bc1441752e913c1d97f771b42e7dfa2a80af24acfb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YIBB5L9Q.txt
    Filesize

    608B

    MD5

    38eed45337099cf3ea16ec16ef8ee9cb

    SHA1

    854ed9ea5fb51c5100a5ccf4a19ebb55e4850c28

    SHA256

    19ccb12ce171b8ee1aae4406babc6d3a0cfeb3bcb4e369ec7e6139030035fc87

    SHA512

    d8933a6a9d27b778f3b747881933ec920c920b2903c0078fb76a21af1be66bfe4c833a2d1dbd2cbe8d7092712bc0a19db42c3d116da4877493a5cf0631a260a4

    Download Submit
  • \Program Files (x86)\Company\NewProduct\F0geI.exe
    Filesize

    339KB

    MD5

    501e0f6fa90340e3d7ff26f276cd582e

    SHA1

    1bce4a6153f71719e786f8f612fbfcd23d3e130a

    SHA256

    f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

    SHA512

    dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

    Download Submit
  • \Program Files (x86)\Company\NewProduct\F0geI.exe
    Filesize

    339KB

    MD5

    501e0f6fa90340e3d7ff26f276cd582e

    SHA1

    1bce4a6153f71719e786f8f612fbfcd23d3e130a

    SHA256

    f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

    SHA512

    dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

    Download Submit
  • \Program Files (x86)\Company\NewProduct\kukurzka9000.exe
    Filesize

    1.4MB

    MD5

    ec59f38fa35c0cf3babd976f5f23c74e

    SHA1

    2f7600ac9df0869fae48d99afe9569d83efafc8b

    SHA256

    6d0d294e321014a3129d3533ce143f08b0a3639cc50ddaf236396b82a595925e

    SHA512

    d4d2c4078dd40bc57d421750ac26f5467f082f6b4fae422d574ca406b928b6bb1e4f7cbb80a80b11f3908134028c6b7bb3b67c17e02d1899a6cda6e0312c3574

    Download Submit
  • \Program Files (x86)\Company\NewProduct\kukurzka9000.exe
    Filesize

    1.4MB

    MD5

    ec59f38fa35c0cf3babd976f5f23c74e

    SHA1

    2f7600ac9df0869fae48d99afe9569d83efafc8b

    SHA256

    6d0d294e321014a3129d3533ce143f08b0a3639cc50ddaf236396b82a595925e

    SHA512

    d4d2c4078dd40bc57d421750ac26f5467f082f6b4fae422d574ca406b928b6bb1e4f7cbb80a80b11f3908134028c6b7bb3b67c17e02d1899a6cda6e0312c3574

    Download Submit
  • \Program Files (x86)\Company\NewProduct\me.exe
    Filesize

    281KB

    MD5

    0856c11e41b1bf5e5aafb44fa4eaae4e

    SHA1

    3bb9039bbe89b2058c7c7d0537d7ddaa8f5d2826

    SHA256

    0721243b2d897a8734838ac4fbd402dab5a247a973f08fc82703a565c516911f

    SHA512

    f5605d5d0ef514dd6f571c30b79608a6ddbb8fb025c2750448a758295a0f3fc47a1b973aab0e061f8361b696c920ebb54073ef109cfd14cd08cdb98b9a1b7726

    Download Submit
  • \Program Files (x86)\Company\NewProduct\me.exe
    Filesize

    281KB

    MD5

    0856c11e41b1bf5e5aafb44fa4eaae4e

    SHA1

    3bb9039bbe89b2058c7c7d0537d7ddaa8f5d2826

    SHA256

    0721243b2d897a8734838ac4fbd402dab5a247a973f08fc82703a565c516911f

    SHA512

    f5605d5d0ef514dd6f571c30b79608a6ddbb8fb025c2750448a758295a0f3fc47a1b973aab0e061f8361b696c920ebb54073ef109cfd14cd08cdb98b9a1b7726

    Download Submit
  • \Program Files (x86)\Company\NewProduct\namdoitntn.exe
    Filesize

    107KB

    MD5

    bbd8ea73b7626e0ca5b91d355df39b7f

    SHA1

    66e298653beb7f652eb44922010910ced6242879

    SHA256

    1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

    SHA512

    625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

    Download Submit
  • \Program Files (x86)\Company\NewProduct\real.exe
    Filesize

    282KB

    MD5

    474861050e6a7b65bc4521096cb05454

    SHA1

    4e1aabe27598171a89c219aab860b325a4358b22

    SHA256

    ccd962957659555af7c607deb20a4ec34a1578af037d5310ffd07bd092f0ebc7

    SHA512

    42afff00dd616fc73d1c338184149ddb66376e808cd2da39a94357c8d296a245ab0f1e474aac1789d613efef3c1867e0c3a2e41c07ac21bcc07e00ea08309a79

    Download Submit
  • \Program Files (x86)\Company\NewProduct\real.exe
    Filesize

    282KB

    MD5

    474861050e6a7b65bc4521096cb05454

    SHA1

    4e1aabe27598171a89c219aab860b325a4358b22

    SHA256

    ccd962957659555af7c607deb20a4ec34a1578af037d5310ffd07bd092f0ebc7

    SHA512

    42afff00dd616fc73d1c338184149ddb66376e808cd2da39a94357c8d296a245ab0f1e474aac1789d613efef3c1867e0c3a2e41c07ac21bcc07e00ea08309a79

    Download Submit
  • \Program Files (x86)\Company\NewProduct\safert44.exe
    Filesize

    246KB

    MD5

    414ffd7094c0f50662ffa508ca43b7d0

    SHA1

    6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

    SHA256

    d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

    SHA512

    c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

    Download Submit
  • memory/820-87-0x0000000000230000-0x0000000000240000-memory.dmp
    Filesize

    64KB

    Download
  • memory/820-116-0x000000000063B000-0x000000000064C000-memory.dmp
    Filesize

    68KB

    Download
  • memory/820-136-0x000000000063B000-0x000000000064C000-memory.dmp
    Filesize

    68KB

    Download
  • memory/820-57-0x0000000000000000-mapping.dmp
    Download
  • memory/820-86-0x000000000063B000-0x000000000064C000-memory.dmp
    Filesize

    68KB

    Download
  • memory/820-88-0x0000000000400000-0x000000000046E000-memory.dmp
    Filesize

    440KB

    Download
  • memory/876-97-0x0000000060900000-0x0000000060992000-memory.dmp
    Filesize

    584KB

    Download
  • memory/876-78-0x0000000000000000-mapping.dmp
    Download
  • memory/1196-54-0x0000000075D01000-0x0000000075D03000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1492-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-84-0x0000000001220000-0x0000000001240000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1688-72-0x0000000000000000-mapping.dmp
    Download
  • memory/1688-85-0x0000000000380000-0x0000000000386000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1688-83-0x0000000000900000-0x0000000000944000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1712-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1760-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1760-96-0x0000000000400000-0x000000000056A000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1760-95-0x0000000001F80000-0x0000000001F92000-memory.dmp
    Filesize

    72KB

    Download