Overview

overview

10

Static

static

ce6afbcf08...0c.exe

windows7-x64

10

ce6afbcf08...0c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2022 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce6afbcf08be70895d0dc65e5d72bc0c.exe

  • Size

    1.1MB

  • MD5

    ce6afbcf08be70895d0dc65e5d72bc0c

  • SHA1

    0891df1c147c5af34a2213fcda1a24c4cae9c634

  • SHA256

    f0f8fb599991890cfa572fa802710ca60a61f8d2f64edc7a0e7b24b7811c20d1

  • SHA512

    e1efe945788a30ec4567e06fc305201075866783ab8c20ec6ef995512d23b62f802b657c545ee020b2f8d9c11111898e6619be6f8f41d76d941573cb67feeff3

Score
10/10
redline5nam3discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

nam3

C2

103.89.90.61:34589

Attributes
  • auth_value

    64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

5

C2

176.113.115.146:9582

Attributes
  • auth_value

    d38b30c1ccd6c1e5088d9e5bd9e51b0f

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 8 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce6afbcf08be70895d0dc65e5d72bc0c.exe
    "C:\Users\Admin\AppData\Local\Temp\ce6afbcf08be70895d0dc65e5d72bc0c.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RyjC4
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1940 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1440
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1A4aK4
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:904 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:288
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RLtX4
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:940
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:940 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1540
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RCgX4
      2⤵
        PID:1420
      • C:\Program Files (x86)\Company\NewProduct\F0geI.exe
        "C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
        2⤵
        • Executes dropped EXE
        PID:952
      • C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
        "C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
        2⤵
        • Executes dropped EXE
        PID:1096
      • C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
        "C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1804
      • C:\Program Files (x86)\Company\NewProduct\real.exe
        "C:\Program Files (x86)\Company\NewProduct\real.exe"
        2⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:1704
      • C:\Program Files (x86)\Company\NewProduct\safert44.exe
        "C:\Program Files (x86)\Company\NewProduct\safert44.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1120
      • C:\Program Files (x86)\Company\NewProduct\EU1.exe
        "C:\Program Files (x86)\Company\NewProduct\EU1.exe"
        2⤵
        • Executes dropped EXE
        PID:1652

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Company\NewProduct\EU1.exe
      Filesize

      281KB

      MD5

      ba3a49c828d27a3c6b1bc179e76af540

      SHA1

      373f8edd1a12b4e333bd54c03553f0874091f60e

      SHA256

      e7071de8c17a23fc79c11e89d59af2049796fcbf6a46523e1e9a1071772158f1

      SHA512

      e0c9e9eb2943ae9a6edfb6d7f9681f3e3050f6f5f6e17485be93f597fae7442aded2eca90712c452dd8ad6cb23162be2a51deb67fdb3ba8bf72239615696b0fb

      Download Submit
    • C:\Program Files (x86)\Company\NewProduct\F0geI.exe
      Filesize

      339KB

      MD5

      501e0f6fa90340e3d7ff26f276cd582e

      SHA1

      1bce4a6153f71719e786f8f612fbfcd23d3e130a

      SHA256

      f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

      SHA512

      dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

      Download Submit
    • C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
      Filesize

      1.4MB

      MD5

      ec59f38fa35c0cf3babd976f5f23c74e

      SHA1

      2f7600ac9df0869fae48d99afe9569d83efafc8b

      SHA256

      6d0d294e321014a3129d3533ce143f08b0a3639cc50ddaf236396b82a595925e

      SHA512

      d4d2c4078dd40bc57d421750ac26f5467f082f6b4fae422d574ca406b928b6bb1e4f7cbb80a80b11f3908134028c6b7bb3b67c17e02d1899a6cda6e0312c3574

      Download Submit
    • C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
      Filesize

      107KB

      MD5

      bbd8ea73b7626e0ca5b91d355df39b7f

      SHA1

      66e298653beb7f652eb44922010910ced6242879

      SHA256

      1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

      SHA512

      625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

      Download Submit
    • C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
      Filesize

      107KB

      MD5

      bbd8ea73b7626e0ca5b91d355df39b7f

      SHA1

      66e298653beb7f652eb44922010910ced6242879

      SHA256

      1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

      SHA512

      625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

      Download Submit
    • C:\Program Files (x86)\Company\NewProduct\real.exe
      Filesize

      282KB

      MD5

      474861050e6a7b65bc4521096cb05454

      SHA1

      4e1aabe27598171a89c219aab860b325a4358b22

      SHA256

      ccd962957659555af7c607deb20a4ec34a1578af037d5310ffd07bd092f0ebc7

      SHA512

      42afff00dd616fc73d1c338184149ddb66376e808cd2da39a94357c8d296a245ab0f1e474aac1789d613efef3c1867e0c3a2e41c07ac21bcc07e00ea08309a79

      Download Submit
    • C:\Program Files (x86)\Company\NewProduct\safert44.exe
      Filesize

      246KB

      MD5

      414ffd7094c0f50662ffa508ca43b7d0

      SHA1

      6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

      SHA256

      d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

      SHA512

      c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

      Download Submit
    • C:\Program Files (x86)\Company\NewProduct\safert44.exe
      Filesize

      246KB

      MD5

      414ffd7094c0f50662ffa508ca43b7d0

      SHA1

      6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

      SHA256

      d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

      SHA512

      c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{99BB0E61-1CC7-11ED-9843-7ADD0904B6AC}.dat
      Filesize

      3KB

      MD5

      18416b8a6efc9e44511f82c62ddf0574

      SHA1

      28bf539d2b41e1675b6dbb4a7717c1394b585d13

      SHA256

      82b71a26f28a6fd6151acf60712cce957a7db26cecc3318d6531c2e3fe5c13fd

      SHA512

      31a5e57d406d08c6ed8bf5c6f7c218d242aef3034ae79712d916f4d737843524c49472f376094d7045d7b456d14ca0765a95ee8532645bad56e8d34e7ee25f1a

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{99BB0E61-1CC7-11ED-9843-7ADD0904B6AC}.dat
      Filesize

      5KB

      MD5

      2037bbf2a27e0cffa280e704dfd46678

      SHA1

      76de0ea69d1b85d3346a2d38a8754626a556aa17

      SHA256

      b71fea626bd399d0cfa3610901ca1078239b5af13786343b45312360afec50ee

      SHA512

      72e84bc20b58c4af701f136c1cabcd58082f4d437bc62769c26903bb886e556d60ba51cdfeedf084f69d1b2f78f0025528a15bfccb210df52869db9651f7d006

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{99BD6FC1-1CC7-11ED-9843-7ADD0904B6AC}.dat
      Filesize

      3KB

      MD5

      5e7a5793b73e76c4cfb2f0bf2899ba48

      SHA1

      57f0c0fed3e513c4ccfcfddaac6f29bd5ee57914

      SHA256

      d02b388db86e71c4e6eed703d313a8dd415f1f07d4a8164734d0c29854d1fb1e

      SHA512

      f1887406d2a389cae2048c59963b5ad1ca113727eb4d97104f9935564044afcf0fd88c961fa23e29a417ac3bec210f78382fbfb9448e6fb3a18d33f628d3c04b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LU6HZXN6.txt
      Filesize

      606B

      MD5

      2befebb23172572c61c40d8a28ef24f5

      SHA1

      11a9ca8f6371b71afa20d10016aed11e7fce3a9a

      SHA256

      337991a1cb0dee6dd6706cb60f25f6604d5d2b93203255c0fb9a1359f54c7941

      SHA512

      4e0e0f695dfe21ee7e9c606004e2e7b73933fc2cae8d7e74e43892ab3bd26af8663b95b8282b3038f799b516de18e9f9855fb126bfd015c4d71e12474a0fb26b

      Download Submit
    • \Program Files (x86)\Company\NewProduct\EU1.exe
      Filesize

      281KB

      MD5

      ba3a49c828d27a3c6b1bc179e76af540

      SHA1

      373f8edd1a12b4e333bd54c03553f0874091f60e

      SHA256

      e7071de8c17a23fc79c11e89d59af2049796fcbf6a46523e1e9a1071772158f1

      SHA512

      e0c9e9eb2943ae9a6edfb6d7f9681f3e3050f6f5f6e17485be93f597fae7442aded2eca90712c452dd8ad6cb23162be2a51deb67fdb3ba8bf72239615696b0fb

      Download Submit
    • \Program Files (x86)\Company\NewProduct\EU1.exe
      Filesize

      281KB

      MD5

      ba3a49c828d27a3c6b1bc179e76af540

      SHA1

      373f8edd1a12b4e333bd54c03553f0874091f60e

      SHA256

      e7071de8c17a23fc79c11e89d59af2049796fcbf6a46523e1e9a1071772158f1

      SHA512

      e0c9e9eb2943ae9a6edfb6d7f9681f3e3050f6f5f6e17485be93f597fae7442aded2eca90712c452dd8ad6cb23162be2a51deb67fdb3ba8bf72239615696b0fb

      Download Submit
    • \Program Files (x86)\Company\NewProduct\F0geI.exe
      Filesize

      339KB

      MD5

      501e0f6fa90340e3d7ff26f276cd582e

      SHA1

      1bce4a6153f71719e786f8f612fbfcd23d3e130a

      SHA256

      f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

      SHA512

      dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

      Download Submit
    • \Program Files (x86)\Company\NewProduct\F0geI.exe
      Filesize

      339KB

      MD5

      501e0f6fa90340e3d7ff26f276cd582e

      SHA1

      1bce4a6153f71719e786f8f612fbfcd23d3e130a

      SHA256

      f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

      SHA512

      dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

      Download Submit
    • \Program Files (x86)\Company\NewProduct\kukurzka9000.exe
      Filesize

      1.4MB

      MD5

      ec59f38fa35c0cf3babd976f5f23c74e

      SHA1

      2f7600ac9df0869fae48d99afe9569d83efafc8b

      SHA256

      6d0d294e321014a3129d3533ce143f08b0a3639cc50ddaf236396b82a595925e

      SHA512

      d4d2c4078dd40bc57d421750ac26f5467f082f6b4fae422d574ca406b928b6bb1e4f7cbb80a80b11f3908134028c6b7bb3b67c17e02d1899a6cda6e0312c3574

      Download Submit
    • \Program Files (x86)\Company\NewProduct\kukurzka9000.exe
      Filesize

      1.4MB

      MD5

      ec59f38fa35c0cf3babd976f5f23c74e

      SHA1

      2f7600ac9df0869fae48d99afe9569d83efafc8b

      SHA256

      6d0d294e321014a3129d3533ce143f08b0a3639cc50ddaf236396b82a595925e

      SHA512

      d4d2c4078dd40bc57d421750ac26f5467f082f6b4fae422d574ca406b928b6bb1e4f7cbb80a80b11f3908134028c6b7bb3b67c17e02d1899a6cda6e0312c3574

      Download Submit
    • \Program Files (x86)\Company\NewProduct\namdoitntn.exe
      Filesize

      107KB

      MD5

      bbd8ea73b7626e0ca5b91d355df39b7f

      SHA1

      66e298653beb7f652eb44922010910ced6242879

      SHA256

      1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

      SHA512

      625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

      Download Submit
    • \Program Files (x86)\Company\NewProduct\real.exe
      Filesize

      282KB

      MD5

      474861050e6a7b65bc4521096cb05454

      SHA1

      4e1aabe27598171a89c219aab860b325a4358b22

      SHA256

      ccd962957659555af7c607deb20a4ec34a1578af037d5310ffd07bd092f0ebc7

      SHA512

      42afff00dd616fc73d1c338184149ddb66376e808cd2da39a94357c8d296a245ab0f1e474aac1789d613efef3c1867e0c3a2e41c07ac21bcc07e00ea08309a79

      Download Submit
    • \Program Files (x86)\Company\NewProduct\real.exe
      Filesize

      282KB

      MD5

      474861050e6a7b65bc4521096cb05454

      SHA1

      4e1aabe27598171a89c219aab860b325a4358b22

      SHA256

      ccd962957659555af7c607deb20a4ec34a1578af037d5310ffd07bd092f0ebc7

      SHA512

      42afff00dd616fc73d1c338184149ddb66376e808cd2da39a94357c8d296a245ab0f1e474aac1789d613efef3c1867e0c3a2e41c07ac21bcc07e00ea08309a79

      Download Submit
    • \Program Files (x86)\Company\NewProduct\safert44.exe
      Filesize

      246KB

      MD5

      414ffd7094c0f50662ffa508ca43b7d0

      SHA1

      6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

      SHA256

      d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

      SHA512

      c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

      Download Submit
    • memory/952-85-0x00000000005DB000-0x00000000005EC000-memory.dmp
      Filesize

      68KB

      Download
    • memory/952-57-0x0000000000000000-mapping.dmp
      Download
    • memory/952-115-0x00000000005DB000-0x00000000005EC000-memory.dmp
      Filesize

      68KB

      Download
    • memory/952-86-0x0000000000220000-0x0000000000230000-memory.dmp
      Filesize

      64KB

      Download
    • memory/952-87-0x0000000000400000-0x000000000046E000-memory.dmp
      Filesize

      440KB

      Download
    • memory/952-116-0x00000000005DB000-0x00000000005EC000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1096-89-0x0000000001F80000-0x0000000001F92000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1096-90-0x0000000000400000-0x000000000056A000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1096-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1120-73-0x0000000000000000-mapping.dmp
      Download
    • memory/1120-82-0x0000000000F80000-0x0000000000FC4000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1120-88-0x0000000000280000-0x0000000000286000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1348-54-0x00000000750A1000-0x00000000750A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1652-78-0x0000000000000000-mapping.dmp
      Download
    • memory/1704-96-0x0000000060900000-0x0000000060992000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1704-69-0x0000000000000000-mapping.dmp
      Download
    • memory/1804-84-0x00000000010F0000-0x0000000001110000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1804-65-0x0000000000000000-mapping.dmp
      Download