Overview

overview

10

Static

static

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    310s
  • max time network
    319s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20-08-2022 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exe

  • Size

    139KB

  • MD5

    cd025972c4df727a0fce903a1209c627

  • SHA1

    cc14e518cafcc81c3c44384c491f1ee7634aef37

  • SHA256

    0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38

  • SHA512

    af2c4ddc79dc98eefa65ccd5aac13918f97fcdb2857b4a344d3ca3e3277579387f13642894a8e561e88c713f3d56965673453e68d7cfb33bbaa9568e2b2dc03d

Score
10/10
redlineytstealera1infostealerspywarestealerupx

Malware Config

Extracted

Family

redline

Botnet

a1

C2

65.21.133.231:47430

Attributes
  • auth_value

    b7563e1c5afab74eb0301a1cb2907974

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • YTStealer

    YTStealer is a malware designed to steal YouTube authentication cookies.

    stealerytstealer
  • YTStealer payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exe
    "C:\Users\Admin\AppData\Local\Temp\0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4260
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Users\Admin\AppData\Local\Temp\333.exe
        "C:\Users\Admin\AppData\Local\Temp\333.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3672
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell "" "Get-WmiObject Win32_PortConnector"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

2
T1081

Discovery

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\333.exe
    Filesize

    4.0MB

    MD5

    54759c68e5daf4d0195ccc4bd929b6ce

    SHA1

    4dd9a7932308baec2b2d9d5e87aca88a488ac74e

    SHA256

    7819f51ad0cc844210b83cc218fe2c750c87cfc6f0c21921a3ceebc62b76b060

    SHA512

    1ca17ba07d44b26e25e7594a33510d772079e754fa8c06cde97cc5ede4d5a40e2e5ba0605ea1b075ac3e4e3c167075dacbd86094d5e5861195d1376352572d12

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\333.exe
    Filesize

    4.0MB

    MD5

    54759c68e5daf4d0195ccc4bd929b6ce

    SHA1

    4dd9a7932308baec2b2d9d5e87aca88a488ac74e

    SHA256

    7819f51ad0cc844210b83cc218fe2c750c87cfc6f0c21921a3ceebc62b76b060

    SHA512

    1ca17ba07d44b26e25e7594a33510d772079e754fa8c06cde97cc5ede4d5a40e2e5ba0605ea1b075ac3e4e3c167075dacbd86094d5e5861195d1376352572d12

    Download Submit
  • memory/3672-646-0x0000000000000000-mapping.dmp
    Download
  • memory/3672-652-0x0000000000BB0000-0x00000000019C1000-memory.dmp
    Filesize

    14.1MB

    Download
  • memory/3672-673-0x0000000000BB0000-0x00000000019C1000-memory.dmp
    Filesize

    14.1MB

    Download
  • memory/3672-655-0x0000000000BB0000-0x00000000019C1000-memory.dmp
    Filesize

    14.1MB

    Download
  • memory/4084-665-0x00000298E7A80000-0x00000298E7AF6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4084-662-0x00000298E78D0000-0x00000298E78F2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4084-656-0x0000000000000000-mapping.dmp
    Download
  • memory/4260-155-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-150-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-122-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-123-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-124-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-127-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-129-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-130-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-133-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-132-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-131-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-115-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-126-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-125-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-135-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-136-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-137-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-138-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-134-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-139-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-140-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-142-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-143-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-144-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-141-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-145-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-146-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-147-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-148-0x00000000006D0000-0x00000000006FA000-memory.dmp
    Filesize

    168KB

    Download
  • memory/4260-149-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-151-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-152-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-153-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-116-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-154-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-120-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-165-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-117-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-128-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-118-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-121-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4260-119-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-518-0x000000000AD20000-0x000000000AEE2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4760-156-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4760-178-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-174-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-181-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-182-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-179-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-159-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-175-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-173-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-172-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-171-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-169-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-168-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-166-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-161-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-160-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-177-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-180-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-176-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-214-0x00000000097A0000-0x0000000009DA6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4760-216-0x00000000092A0000-0x00000000093AA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4760-219-0x00000000091D0000-0x000000000920E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4760-221-0x0000000009210000-0x000000000925B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4760-215-0x0000000006DF0000-0x0000000006E02000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4760-162-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-248-0x000000000A1A0000-0x000000000A216000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4760-249-0x000000000A2C0000-0x000000000A352000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4760-170-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-240-0x0000000009EB0000-0x0000000009F16000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4760-157-0x000000000041ADA6-mapping.dmp
    Download
  • memory/4760-164-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-158-0x0000000076FE0000-0x000000007716E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4760-253-0x000000000A280000-0x000000000A29E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4760-509-0x000000000B800000-0x000000000B850000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4760-236-0x000000000A3B0000-0x000000000A8AE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4760-519-0x000000000BD80000-0x000000000C2AC000-memory.dmp
    Filesize

    5.2MB

    Download