Analysis
-
max time kernel
63s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2022 20:44
Static task
static1
Behavioral task
behavioral1
Sample
5DDFCF4815E94C48F1031CED6E010868.exe
Resource
win7-20220901-en
General
-
Target
5DDFCF4815E94C48F1031CED6E010868.exe
-
Size
4.6MB
-
MD5
5ddfcf4815e94c48f1031ced6e010868
-
SHA1
a4e2383b7ef2b19279dab80c1393fa0bf49bd160
-
SHA256
8d73bdbb7100a3189c890f3c579c245bd19c75f5ace2aee9bb0fb3a11072f48d
-
SHA512
828dc460f0961fc0a6e503aca6089b41ad64ed3cd20c7bdf31d390f25b889cb03ca244ab76ac7da4934a74e793055576b11505528e32a0f20ca41186782fe888
-
SSDEEP
98304:EupPsMZmR207JGQUs0tYapHunTkOr8hGRWtg6hYemraATFotYuoz:Euplmk00psYAkOr6tgECXTGeuI
Malware Config
Extracted
redline
45.138.74.121:80
-
auth_value
b9baf351bc89181c836a21fda4084a03
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/100148-140-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
YTStealer payload 2 IoCs
resource yara_rule behavioral2/memory/388-149-0x0000000000980000-0x000000000179B000-memory.dmp family_ytstealer behavioral2/memory/388-156-0x0000000000980000-0x000000000179B000-memory.dmp family_ytstealer -
Executes dropped EXE 2 IoCs
pid Process 4928 @colored_tea_breakfast_crypted.exe 388 5075132399.exe -
resource yara_rule behavioral2/files/0x0003000000000723-137.dat upx behavioral2/files/0x0003000000000723-136.dat upx behavioral2/memory/388-138-0x0000000000980000-0x000000000179B000-memory.dmp upx behavioral2/memory/388-149-0x0000000000980000-0x000000000179B000-memory.dmp upx behavioral2/memory/388-156-0x0000000000980000-0x000000000179B000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4928 set thread context of 100148 4928 @colored_tea_breakfast_crypted.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3504 powershell.exe 3504 powershell.exe 100148 AppLaunch.exe 100148 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 100148 AppLaunch.exe Token: SeDebugPrivilege 3504 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2364 wrote to memory of 4928 2364 5DDFCF4815E94C48F1031CED6E010868.exe 79 PID 2364 wrote to memory of 4928 2364 5DDFCF4815E94C48F1031CED6E010868.exe 79 PID 2364 wrote to memory of 4928 2364 5DDFCF4815E94C48F1031CED6E010868.exe 79 PID 2364 wrote to memory of 388 2364 5DDFCF4815E94C48F1031CED6E010868.exe 81 PID 2364 wrote to memory of 388 2364 5DDFCF4815E94C48F1031CED6E010868.exe 81 PID 4928 wrote to memory of 100148 4928 @colored_tea_breakfast_crypted.exe 82 PID 4928 wrote to memory of 100148 4928 @colored_tea_breakfast_crypted.exe 82 PID 4928 wrote to memory of 100148 4928 @colored_tea_breakfast_crypted.exe 82 PID 4928 wrote to memory of 100148 4928 @colored_tea_breakfast_crypted.exe 82 PID 4928 wrote to memory of 100148 4928 @colored_tea_breakfast_crypted.exe 82 PID 388 wrote to memory of 3504 388 5075132399.exe 89 PID 388 wrote to memory of 3504 388 5075132399.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\5DDFCF4815E94C48F1031CED6E010868.exe"C:\Users\Admin\AppData\Local\Temp\5DDFCF4815E94C48F1031CED6E010868.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exeC:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:100148
-
-
-
C:\Users\Admin\AppData\Roaming\5075132399.exeC:\Users\Admin\AppData\Roaming\5075132399.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD539c82e2f3a3c5d438aeafae69664b525
SHA10f000990a2f611801248fe953a665bf28775698d
SHA256c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59
SHA51230f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d
-
Filesize
4.1MB
MD539c82e2f3a3c5d438aeafae69664b525
SHA10f000990a2f611801248fe953a665bf28775698d
SHA256c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59
SHA51230f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d
-
Filesize
1.2MB
MD54b7a101c5d6583f67fa574f7d9eab212
SHA188f34c4b0491dc3490fdce653d43a2f1b45943a5
SHA2566adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5
SHA512449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb
-
Filesize
1.2MB
MD54b7a101c5d6583f67fa574f7d9eab212
SHA188f34c4b0491dc3490fdce653d43a2f1b45943a5
SHA2566adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5
SHA512449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb