Analysis
-
max time kernel
48s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
16-09-2022 20:44
General
-
Target
5DDFCF4815E94C48F1031CED6E010868.exe
-
Size
4.6MB
-
MD5
5ddfcf4815e94c48f1031ced6e010868
-
SHA1
a4e2383b7ef2b19279dab80c1393fa0bf49bd160
-
SHA256
8d73bdbb7100a3189c890f3c579c245bd19c75f5ace2aee9bb0fb3a11072f48d
-
SHA512
828dc460f0961fc0a6e503aca6089b41ad64ed3cd20c7bdf31d390f25b889cb03ca244ab76ac7da4934a74e793055576b11505528e32a0f20ca41186782fe888
-
SSDEEP
98304:EupPsMZmR207JGQUs0tYapHunTkOr8hGRWtg6hYemraATFotYuoz:Euplmk00psYAkOr6tgECXTGeuI
Malware Config
Extracted
redline
45.138.74.121:80
-
auth_value
b9baf351bc89181c836a21fda4084a03
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
-
YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
-
YTStealer payload 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 5 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5DDFCF4815E94C48F1031CED6E010868.exe"C:\Users\Admin\AppData\Local\Temp\5DDFCF4815E94C48F1031CED6E010868.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exeC:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Starter.exe"C:\Users\Admin\AppData\Local\Temp\Starter.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5075132399.exeC:\Users\Admin\AppData\Roaming\5075132399.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Starter.exeFilesize
18KB
MD5e9716ff7745b73a8ce8dd146737dd6b1
SHA17556845b4bb4ffa12bc25d85fabf699881310cf1
SHA256f89e45132fac0092760b11fb7ee37f92d2ec9b83d37ec6f50843366d78862e05
SHA512c9938bde8d3f4fd0966f79373c0e6214269b93b39b8e943c90ad494379a63919655972e0569deda8d22d441926e2b11b461553c5f93048b03022d9743a0b9f1e
-
C:\Users\Admin\AppData\Local\Temp\Starter.exeFilesize
18KB
MD5e9716ff7745b73a8ce8dd146737dd6b1
SHA17556845b4bb4ffa12bc25d85fabf699881310cf1
SHA256f89e45132fac0092760b11fb7ee37f92d2ec9b83d37ec6f50843366d78862e05
SHA512c9938bde8d3f4fd0966f79373c0e6214269b93b39b8e943c90ad494379a63919655972e0569deda8d22d441926e2b11b461553c5f93048b03022d9743a0b9f1e
-
C:\Users\Admin\AppData\Roaming\5075132399.exeFilesize
4.1MB
MD539c82e2f3a3c5d438aeafae69664b525
SHA10f000990a2f611801248fe953a665bf28775698d
SHA256c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59
SHA51230f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d
-
C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exeFilesize
1.2MB
MD54b7a101c5d6583f67fa574f7d9eab212
SHA188f34c4b0491dc3490fdce653d43a2f1b45943a5
SHA2566adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5
SHA512449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb
-
\Users\Admin\AppData\Local\Temp\Starter.exeFilesize
18KB
MD5e9716ff7745b73a8ce8dd146737dd6b1
SHA17556845b4bb4ffa12bc25d85fabf699881310cf1
SHA256f89e45132fac0092760b11fb7ee37f92d2ec9b83d37ec6f50843366d78862e05
SHA512c9938bde8d3f4fd0966f79373c0e6214269b93b39b8e943c90ad494379a63919655972e0569deda8d22d441926e2b11b461553c5f93048b03022d9743a0b9f1e
-
\Users\Admin\AppData\Roaming\5075132399.exeFilesize
4.1MB
MD539c82e2f3a3c5d438aeafae69664b525
SHA10f000990a2f611801248fe953a665bf28775698d
SHA256c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59
SHA51230f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d
-
\Users\Admin\AppData\Roaming\5075132399.exeFilesize
4.1MB
MD539c82e2f3a3c5d438aeafae69664b525
SHA10f000990a2f611801248fe953a665bf28775698d
SHA256c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59
SHA51230f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d
-
\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exeFilesize
1.2MB
MD54b7a101c5d6583f67fa574f7d9eab212
SHA188f34c4b0491dc3490fdce653d43a2f1b45943a5
SHA2566adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5
SHA512449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb
-
\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exeFilesize
1.2MB
MD54b7a101c5d6583f67fa574f7d9eab212
SHA188f34c4b0491dc3490fdce653d43a2f1b45943a5
SHA2566adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5
SHA512449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb
-
memory/1544-54-0x0000000075681000-0x0000000075683000-memory.dmpFilesize
8KB
-
memory/1548-57-0x0000000000000000-mapping.dmp
-
memory/4020-75-0x0000000000B10000-0x000000000192B000-memory.dmpFilesize
14.1MB
-
memory/4020-63-0x0000000000B10000-0x000000000192B000-memory.dmpFilesize
14.1MB
-
memory/4020-61-0x0000000000000000-mapping.dmp
-
memory/92208-71-0x00000000000B27CE-mapping.dmp
-
memory/92208-72-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/92208-73-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/92208-66-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/92208-64-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/92504-77-0x0000000000000000-mapping.dmp
-
memory/92504-81-0x0000000000AD0000-0x0000000000ADA000-memory.dmpFilesize
40KB