Overview

overview

10

Static

static

0c35a9ba84...67.exe

windows7-x64

10

0c35a9ba84...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-08-2022 21:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c35a9ba848af55c69574a6676896167.exe

  • Size

    1.1MB

  • MD5

    0c35a9ba848af55c69574a6676896167

  • SHA1

    5f4a15cb4749755d7b3e0c87523436e57ca616bd

  • SHA256

    e44039074cefd09367970c1bd8be052e4ce4cbebd7bdeaa3b495391def0fb2f9

  • SHA512

    28af24c6446fc191f51e31cfdec8d9747bde56ec0ac3c24e0a09293a08d007f2f9dc049f5faacf8ad51fdca2206f87041bb4e0c501ed1dad2a990ab07dae246a

  • SSDEEP

    24576:U5SrEl6dNKcxhY6YKTXGsDgMfadq8o/Dl6SkJGAMBU:UMSc8grl6SkBMB

Score
10/10
redlineytstealerinfostealerspywarestealerupx

Malware Config

Extracted

Family

redline

C2

185.215.113.55:15912

Attributes
  • auth_value

    9e9ec97701fcb6c8d3b5dd97294bcfa9

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • YTStealer

    YTStealer is a malware designed to steal YouTube authentication cookies.

    stealerytstealer
  • YTStealer payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c35a9ba848af55c69574a6676896167.exe
    "C:\Users\Admin\AppData\Local\Temp\0c35a9ba848af55c69574a6676896167.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:181056
      • C:\Users\Admin\AppData\Local\Temp\filename.exe
        "C:\Users\Admin\AppData\Local\Temp\filename.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4964
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell "" "Get-WmiObject Win32_PortConnector"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3096
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 177864
      2⤵
      • Program crash
      PID:181184
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4756 -ip 4756
    1⤵
      PID:181128

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\filename.exe
      Filesize

      4.0MB

      MD5

      8ce1b58517d9488123e72f84b2ba3709

      SHA1

      883bfba65cc27b5cbca1c5f8106961edae9b25d5

      SHA256

      b221019fa30df97d456407a899a4675d1bfa0394c6362fc1745bb3235b69be14

      SHA512

      32c9ecf59e760dd60b56ec980afac5b7bdc5bd39f128400425dc9e920461c3158d1b5815e23f17c69915ec7992e22db10742da8bda9fee34eb87e368c3d9fd1b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\filename.exe
      Filesize

      4.0MB

      MD5

      8ce1b58517d9488123e72f84b2ba3709

      SHA1

      883bfba65cc27b5cbca1c5f8106961edae9b25d5

      SHA256

      b221019fa30df97d456407a899a4675d1bfa0394c6362fc1745bb3235b69be14

      SHA512

      32c9ecf59e760dd60b56ec980afac5b7bdc5bd39f128400425dc9e920461c3158d1b5815e23f17c69915ec7992e22db10742da8bda9fee34eb87e368c3d9fd1b

      Download Submit
    • memory/3096-157-0x00007FFE80A10000-0x00007FFE814D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3096-156-0x00007FFE80A10000-0x00007FFE814D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3096-155-0x00000262600A0000-0x00000262600C2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3096-154-0x0000000000000000-mapping.dmp
      Download
    • memory/4964-158-0x0000000000870000-0x0000000001684000-memory.dmp
      Filesize

      14.1MB

      Download
    • memory/4964-153-0x0000000000870000-0x0000000001684000-memory.dmp
      Filesize

      14.1MB

      Download
    • memory/4964-152-0x0000000000870000-0x0000000001684000-memory.dmp
      Filesize

      14.1MB

      Download
    • memory/4964-149-0x0000000000000000-mapping.dmp
      Download
    • memory/181056-141-0x0000000004DB0000-0x0000000004DEC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/181056-147-0x0000000006A20000-0x0000000006BE2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/181056-148-0x0000000007120000-0x000000000764C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/181056-146-0x0000000005E20000-0x0000000005E3E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/181056-145-0x0000000005D60000-0x0000000005DD6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/181056-144-0x0000000005CC0000-0x0000000005D52000-memory.dmp
      Filesize

      584KB

      Download
    • memory/181056-143-0x00000000061A0000-0x0000000006744000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/181056-142-0x00000000050E0000-0x0000000005146000-memory.dmp
      Filesize

      408KB

      Download
    • memory/181056-132-0x0000000000000000-mapping.dmp
      Download
    • memory/181056-140-0x0000000004E80000-0x0000000004F8A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/181056-139-0x0000000004D50000-0x0000000004D62000-memory.dmp
      Filesize

      72KB

      Download
    • memory/181056-138-0x00000000052D0000-0x00000000058E8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/181056-133-0x0000000000780000-0x00000000007A0000-memory.dmp
      Filesize

      128KB

      Download