Analysis
-
max time kernel
44s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30/08/2022, 00:12
Behavioral task
behavioral1
Sample
f8afeeab30c1ef52199dfabc7be6d4c6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f8afeeab30c1ef52199dfabc7be6d4c6.exe
Resource
win10v2004-20220812-en
General
-
Target
f8afeeab30c1ef52199dfabc7be6d4c6.exe
-
Size
175KB
-
MD5
f8afeeab30c1ef52199dfabc7be6d4c6
-
SHA1
b306886efbdc6b38af5292f232c83cac3af8fb49
-
SHA256
537967a4ff0594af46c09bf023eb4964af5a9bf2ef902acc2000e53addeba193
-
SHA512
3a3a1b469f6925090fef244551cd7b6bdbca72c58010bb3660386d78a80416b096a6e788bb715667a6bfe42516b1fdf711f575cfa3a9e240b2bb350778c24ca7
-
SSDEEP
3072:tTHr/+PDJ8K+7V1T4rlIZPFpTJYyvqtWroLwyrxfiWpiOwIm12i/tWo1Vz8xo:NrGPuKW10rCYCq8xyrtWOwIm1v/V1VE
Malware Config
Extracted
redline
78.24.216.5:42717
-
auth_value
6687e352a0604d495c3851d248ebf06f
Extracted
raccoon
ea6e085210142782ca765e8e63fe811d
http://206.188.196.200/
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral1/files/0x000c0000000054a8-56.dat family_redline behavioral1/files/0x000c0000000054a8-58.dat family_redline behavioral1/files/0x000c0000000054a8-59.dat family_redline behavioral1/memory/1708-60-0x0000000000DD0000-0x0000000000DF0000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 1708 8999.exe 1704 2.0.1-beta.exe -
Loads dropped DLL 3 IoCs
pid Process 832 f8afeeab30c1ef52199dfabc7be6d4c6.exe 832 f8afeeab30c1ef52199dfabc7be6d4c6.exe 832 f8afeeab30c1ef52199dfabc7be6d4c6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1708 8999.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1708 8999.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 832 wrote to memory of 1708 832 f8afeeab30c1ef52199dfabc7be6d4c6.exe 28 PID 832 wrote to memory of 1708 832 f8afeeab30c1ef52199dfabc7be6d4c6.exe 28 PID 832 wrote to memory of 1708 832 f8afeeab30c1ef52199dfabc7be6d4c6.exe 28 PID 832 wrote to memory of 1708 832 f8afeeab30c1ef52199dfabc7be6d4c6.exe 28 PID 832 wrote to memory of 1704 832 f8afeeab30c1ef52199dfabc7be6d4c6.exe 29 PID 832 wrote to memory of 1704 832 f8afeeab30c1ef52199dfabc7be6d4c6.exe 29 PID 832 wrote to memory of 1704 832 f8afeeab30c1ef52199dfabc7be6d4c6.exe 29 PID 832 wrote to memory of 1704 832 f8afeeab30c1ef52199dfabc7be6d4c6.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8afeeab30c1ef52199dfabc7be6d4c6.exe"C:\Users\Admin\AppData\Local\Temp\f8afeeab30c1ef52199dfabc7be6d4c6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\8999.exe"C:\Users\Admin\AppData\Local\Temp\8999.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Users\Admin\AppData\Local\Temp\2.0.1-beta.exe"C:\Users\Admin\AppData\Local\Temp\2.0.1-beta.exe"2⤵
- Executes dropped EXE
PID:1704
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5b167ba266d25d54ae5d7a85b6d30309e
SHA11e2e2c9934a6276529b39c784597026ffb2336b8
SHA256595a15ed654f8c7ffcd47dd71fa637f6be7cbf2524b7867aa7c941df3f681cf2
SHA5123b52e2fff5e17bb034c49acc90dd73972ea24237789e99cf89e1eb30831d4de94e2d3c3a445a06449cd30c4abd517f13b7584ee45c3a875e82c1310dfaa31370
-
Filesize
107KB
MD546c9e711e372e5400396c316aee84ef2
SHA187d69acf7d1aa5c14d589f2675b762d31df4f045
SHA256649c7ce4e1f7fa6cbc84427bc59f02c3aee0d5147e020d78ad5098b0edfd9278
SHA512b75d0c2523967595894d11e82e549117597cc52c3cc3521fbdb0e8f64c14842a0648a5ac2afc6d5a24f7d35985639513a093ac9ca86f19a2a5d9824a8a7fae88
-
Filesize
107KB
MD546c9e711e372e5400396c316aee84ef2
SHA187d69acf7d1aa5c14d589f2675b762d31df4f045
SHA256649c7ce4e1f7fa6cbc84427bc59f02c3aee0d5147e020d78ad5098b0edfd9278
SHA512b75d0c2523967595894d11e82e549117597cc52c3cc3521fbdb0e8f64c14842a0648a5ac2afc6d5a24f7d35985639513a093ac9ca86f19a2a5d9824a8a7fae88
-
Filesize
57KB
MD5b167ba266d25d54ae5d7a85b6d30309e
SHA11e2e2c9934a6276529b39c784597026ffb2336b8
SHA256595a15ed654f8c7ffcd47dd71fa637f6be7cbf2524b7867aa7c941df3f681cf2
SHA5123b52e2fff5e17bb034c49acc90dd73972ea24237789e99cf89e1eb30831d4de94e2d3c3a445a06449cd30c4abd517f13b7584ee45c3a875e82c1310dfaa31370
-
Filesize
57KB
MD5b167ba266d25d54ae5d7a85b6d30309e
SHA11e2e2c9934a6276529b39c784597026ffb2336b8
SHA256595a15ed654f8c7ffcd47dd71fa637f6be7cbf2524b7867aa7c941df3f681cf2
SHA5123b52e2fff5e17bb034c49acc90dd73972ea24237789e99cf89e1eb30831d4de94e2d3c3a445a06449cd30c4abd517f13b7584ee45c3a875e82c1310dfaa31370
-
Filesize
107KB
MD546c9e711e372e5400396c316aee84ef2
SHA187d69acf7d1aa5c14d589f2675b762d31df4f045
SHA256649c7ce4e1f7fa6cbc84427bc59f02c3aee0d5147e020d78ad5098b0edfd9278
SHA512b75d0c2523967595894d11e82e549117597cc52c3cc3521fbdb0e8f64c14842a0648a5ac2afc6d5a24f7d35985639513a093ac9ca86f19a2a5d9824a8a7fae88