Analysis
-
max time kernel
46s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 11:10
Static task
static1
Behavioral task
behavioral1
Sample
proton free.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
proton free.exe
Resource
win10v2004-20220812-en
General
-
Target
proton free.exe
-
Size
2.4MB
-
MD5
ba0fcc475c2ae5390cc58b8311141747
-
SHA1
cb3fa75cd34dce89b0adeb6ecac6c87f0f6629f5
-
SHA256
7f75065513270ddbfef0c8b2fea3a5a4b8023cbca6ca746929bc9cf888d96b78
-
SHA512
7bf633fad60e61a4cf888ba797761345322c32eb890e575b8348b6db9e3236021328ee75836a98a09a9ecccb60fa6cf8442541009e7f5141d288b5f0b51f1017
-
SSDEEP
24576:MSPlYgvYcYYFTbY8M6UltHMCETI1Rj+hO5AlyHoZLClwLVSJVVgRdNa5CJl3RuQV:MaYMJk1bHoZLClwsSJl31
Malware Config
Extracted
redline
ubica
185.106.92.228:24221
-
auth_value
abace2a6ba4a747fd979f4ce8da5f1d0
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/148596-56-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/148596-61-0x000000000041ADB6-mapping.dmp family_redline behavioral1/memory/1836-63-0x0000000000400000-0x000000000055D000-memory.dmp family_redline behavioral1/memory/148596-64-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/148596-62-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
YTStealer payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/148860-70-0x0000000000230000-0x0000000001042000-memory.dmp family_ytstealer behavioral1/memory/148860-71-0x0000000000230000-0x0000000001042000-memory.dmp family_ytstealer -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
123.exepid process 148860 123.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\123.exe upx \Users\Admin\AppData\Local\Temp\123.exe upx C:\Users\Admin\AppData\Local\Temp\123.exe upx behavioral1/memory/148860-70-0x0000000000230000-0x0000000001042000-memory.dmp upx behavioral1/memory/148860-71-0x0000000000230000-0x0000000001042000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
AppLaunch.exepid process 148596 AppLaunch.exe 148596 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
proton free.exedescription pid process target process PID 1836 set thread context of 148596 1836 proton free.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AppLaunch.exepid process 148596 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 148596 AppLaunch.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
proton free.exeAppLaunch.exedescription pid process target process PID 1836 wrote to memory of 148596 1836 proton free.exe AppLaunch.exe PID 1836 wrote to memory of 148596 1836 proton free.exe AppLaunch.exe PID 1836 wrote to memory of 148596 1836 proton free.exe AppLaunch.exe PID 1836 wrote to memory of 148596 1836 proton free.exe AppLaunch.exe PID 1836 wrote to memory of 148596 1836 proton free.exe AppLaunch.exe PID 1836 wrote to memory of 148596 1836 proton free.exe AppLaunch.exe PID 1836 wrote to memory of 148596 1836 proton free.exe AppLaunch.exe PID 1836 wrote to memory of 148596 1836 proton free.exe AppLaunch.exe PID 1836 wrote to memory of 148596 1836 proton free.exe AppLaunch.exe PID 148596 wrote to memory of 148860 148596 AppLaunch.exe 123.exe PID 148596 wrote to memory of 148860 148596 AppLaunch.exe 123.exe PID 148596 wrote to memory of 148860 148596 AppLaunch.exe 123.exe PID 148596 wrote to memory of 148860 148596 AppLaunch.exe 123.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\proton free.exe"C:\Users\Admin\AppData\Local\Temp\proton free.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:148596 -
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"3⤵
- Executes dropped EXE
PID:148860
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\123.exeFilesize
4.0MB
MD554d16b2bd83331c4512e3392271ac098
SHA1313327e368810eae000d565f642a33ae3fc47fef
SHA256cecc58f7e5b69e0b2159f68ca5ee38f36b59a0adbe36f8a93e791f8788488fb5
SHA5129a613dd5e73d001e7a5fc71433619c6ffe7f1208b4930652e8a3c5e34330e7c7baf588a1386126d4a131041ad6162dfb390a3174f3cf511eaada1d00b4c314b3
-
\Users\Admin\AppData\Local\Temp\123.exeFilesize
4.0MB
MD554d16b2bd83331c4512e3392271ac098
SHA1313327e368810eae000d565f642a33ae3fc47fef
SHA256cecc58f7e5b69e0b2159f68ca5ee38f36b59a0adbe36f8a93e791f8788488fb5
SHA5129a613dd5e73d001e7a5fc71433619c6ffe7f1208b4930652e8a3c5e34330e7c7baf588a1386126d4a131041ad6162dfb390a3174f3cf511eaada1d00b4c314b3
-
\Users\Admin\AppData\Local\Temp\123.exeFilesize
4.0MB
MD554d16b2bd83331c4512e3392271ac098
SHA1313327e368810eae000d565f642a33ae3fc47fef
SHA256cecc58f7e5b69e0b2159f68ca5ee38f36b59a0adbe36f8a93e791f8788488fb5
SHA5129a613dd5e73d001e7a5fc71433619c6ffe7f1208b4930652e8a3c5e34330e7c7baf588a1386126d4a131041ad6162dfb390a3174f3cf511eaada1d00b4c314b3
-
memory/1836-63-0x0000000000400000-0x000000000055D000-memory.dmpFilesize
1.4MB
-
memory/148596-65-0x0000000075771000-0x0000000075773000-memory.dmpFilesize
8KB
-
memory/148596-62-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/148596-54-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/148596-64-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/148596-61-0x000000000041ADB6-mapping.dmp
-
memory/148596-56-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/148860-68-0x0000000000000000-mapping.dmp
-
memory/148860-70-0x0000000000230000-0x0000000001042000-memory.dmpFilesize
14.1MB
-
memory/148860-71-0x0000000000230000-0x0000000001042000-memory.dmpFilesize
14.1MB