Overview

overview

10

Static

static

661a6a25cb...9a.exe

windows7-x64

10

661a6a25cb...9a.exe

windows10-2004-x64

10

Resubmissions

26-09-2022 01:16

220926-bms4laggg3 10

23-09-2022 06:37

220923-hdg4asddc7 10

Analysis

  • max time kernel
    121s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-09-2022 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    661a6a25cbdbec6543e74fae455e349a.exe

  • Size

    926KB

  • MD5

    661a6a25cbdbec6543e74fae455e349a

  • SHA1

    c5486f079370b7a0b2c1dbd170035ce25da8163e

  • SHA256

    60c85fce1fbb2d9aaf9737335785e6c0c55b1e42a45394aa7c408b93f2b9bdf0

  • SHA512

    b2514f2f29d73a41a4c26c81c1997dd3cd91258461b71da86e7cfe6f02d416cd13d11747be9b274a612b08544cd4389b7c2f0337a4a2b020d7c5e8babf51bb5b

  • SSDEEP

    12288:taxffztFbbNiQoNS+2pvdNbbM3wBirlBQYg3fLLD:taxHzvwQoNS+q/bbswBirPQYgvD

Score
10/10
redlinemag21infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

mag21

C2

jamesmillion.xyz:47481

Attributes
  • auth_value

    b5ecf039f4b13b472d3c95fc6fe41fc8

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\661a6a25cbdbec6543e74fae455e349a.exe
    "C:\Users\Admin\AppData\Local\Temp\661a6a25cbdbec6543e74fae455e349a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4528
    • C:\Users\Admin\AppData\Local\Temp\mg.exe.exe
      "C:\Users\Admin\AppData\Local\Temp\mg.exe.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:32
      • C:\Program Files (x86)\Common Files\MinerStub.exe
        "C:\Program Files (x86)\Common Files\MinerStub.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:880
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACAAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3000
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4148
  • C:\Users\Admin\AppData\Roaming\MinerStub.exe
    C:\Users\Admin\AppData\Roaming\MinerStub.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\MinerStub.exe
    Filesize

    469KB

    MD5

    5df52a373daa1af07a403e3556ecc43c

    SHA1

    1791f75489f917078e3f15172efe1c3b214c5567

    SHA256

    5173f34fd7d1451ef86933d79ea1f9bf7247f32044f30773350cfe3daaa99cf3

    SHA512

    f7229502dea6a01dc5ecabcfd80512f27e1a6f581d5a95eb5ab9b84cfd3eb32bd3f7c0668e1932e397ddf8a8a35920520d5c4b120e8014d737dbe483a514e9af

    Download Submit
  • C:\Program Files (x86)\Common Files\MinerStub.exe
    Filesize

    469KB

    MD5

    5df52a373daa1af07a403e3556ecc43c

    SHA1

    1791f75489f917078e3f15172efe1c3b214c5567

    SHA256

    5173f34fd7d1451ef86933d79ea1f9bf7247f32044f30773350cfe3daaa99cf3

    SHA512

    f7229502dea6a01dc5ecabcfd80512f27e1a6f581d5a95eb5ab9b84cfd3eb32bd3f7c0668e1932e397ddf8a8a35920520d5c4b120e8014d737dbe483a514e9af

    Download Submit
  • C:\Users\Admin\AppData\Roaming\MinerStub.exe
    Filesize

    469KB

    MD5

    5df52a373daa1af07a403e3556ecc43c

    SHA1

    1791f75489f917078e3f15172efe1c3b214c5567

    SHA256

    5173f34fd7d1451ef86933d79ea1f9bf7247f32044f30773350cfe3daaa99cf3

    SHA512

    f7229502dea6a01dc5ecabcfd80512f27e1a6f581d5a95eb5ab9b84cfd3eb32bd3f7c0668e1932e397ddf8a8a35920520d5c4b120e8014d737dbe483a514e9af

    Download Submit
  • C:\Users\Admin\AppData\Roaming\MinerStub.exe
    Filesize

    469KB

    MD5

    5df52a373daa1af07a403e3556ecc43c

    SHA1

    1791f75489f917078e3f15172efe1c3b214c5567

    SHA256

    5173f34fd7d1451ef86933d79ea1f9bf7247f32044f30773350cfe3daaa99cf3

    SHA512

    f7229502dea6a01dc5ecabcfd80512f27e1a6f581d5a95eb5ab9b84cfd3eb32bd3f7c0668e1932e397ddf8a8a35920520d5c4b120e8014d737dbe483a514e9af

    Download Submit
  • memory/32-138-0x0000000000000000-mapping.dmp
    Download
  • memory/880-139-0x0000000000000000-mapping.dmp
    Download
  • memory/880-150-0x00007FFFCDE40000-0x00007FFFCE901000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/880-142-0x00000000002D0000-0x0000000000348000-memory.dmp
    Filesize

    480KB

    Download
  • memory/880-144-0x00007FFFCDE40000-0x00007FFFCE901000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/880-145-0x00007FFFCDE40000-0x00007FFFCE901000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1636-154-0x00007FFFCDE40000-0x00007FFFCE901000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1636-152-0x00007FFFCDE40000-0x00007FFFCE901000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3000-153-0x00007FFFCDE40000-0x00007FFFCE901000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3000-151-0x00007FFFCDE40000-0x00007FFFCE901000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3000-146-0x0000000000000000-mapping.dmp
    Download
  • memory/3000-147-0x0000020A298F0000-0x0000020A29912000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4148-164-0x0000000006BF0000-0x0000000006DB2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4148-161-0x0000000005DB0000-0x0000000005E26000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4148-163-0x00000000068D0000-0x0000000006920000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4148-143-0x0000000000000000-mapping.dmp
    Download
  • memory/4148-162-0x0000000005CE0000-0x0000000005CFE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4148-160-0x0000000005140000-0x00000000051A6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4148-159-0x0000000004DF0000-0x0000000004E2C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4148-155-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/4148-156-0x0000000005300000-0x0000000005918000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4148-157-0x0000000004D90000-0x0000000004DA2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4148-158-0x0000000004EC0000-0x0000000004FCA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4528-137-0x0000000010100000-0x000000001062C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4528-134-0x0000000004FD0000-0x000000000506C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4528-136-0x0000000005090000-0x000000000509A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4528-133-0x0000000005660000-0x0000000005C04000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4528-135-0x00000000068E0000-0x0000000006972000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4528-132-0x0000000000CA0000-0x0000000000D8E000-memory.dmp
    Filesize

    952KB

    Download