Overview

overview

10

Static

static

9e0f5e7f6f...f6.exe

windows7-x64

10

9e0f5e7f6f...f6.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2022 16:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e0f5e7f6f3bf3647948f39e795f1ff6.exe

  • Size

    5.3MB

  • MD5

    9e0f5e7f6f3bf3647948f39e795f1ff6

  • SHA1

    dc6d84444138c88b1429a8aad6fe04f7f7ef71b5

  • SHA256

    68db7ba636a775b8ed355d9b3f4a143fa4c5b080eee5c4c47ad3dc4b982f44d0

  • SHA512

    dd2bbf1687c86ac001ef1f67e4f07b6e8406fe70bf68bff220a37cf32a5b618be068226fdb6e043704d65412f1fd996491b8a09cb74432db5c37f9284af1845b

  • SSDEEP

    49152:sPFJCvLqOaSTK5ISawpVpVliC8Tkx23fmAmcViw:sPFsjqOaSFUOfmeiw

Score
10/10
redlineakashadiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

AKASHA

C2

77.73.134.54:19123

Attributes
  • auth_value

    c8eb531f5a0c4b089ceefdcdfcce06d9

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e0f5e7f6f3bf3647948f39e795f1ff6.exe
    "C:\Users\Admin\AppData\Local\Temp\9e0f5e7f6f3bf3647948f39e795f1ff6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe
      "C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:868
      • C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe
        "C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:580

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe
    Filesize

    872KB

    MD5

    0d68fe1dcf245fb8e8a5f0ce28d97b15

    SHA1

    a40f7ed00bc93c1f134d54712eb71d36ef2fec78

    SHA256

    70d8da143a9c64cf96c0bebfbbc6b2fb890ec2a46528f57fb5195f3b38cf007f

    SHA512

    01b8df5eae8dbf9d1b5126158e530c569fdfa4777cc637b43830a73ff0f067ecc5c5ffe456e1949f90cb99da6bb5ff419790562c9ed803355637e48f7abe720d

    Download Submit

  • C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe
    Filesize

    872KB

    MD5

    0d68fe1dcf245fb8e8a5f0ce28d97b15

    SHA1

    a40f7ed00bc93c1f134d54712eb71d36ef2fec78

    SHA256

    70d8da143a9c64cf96c0bebfbbc6b2fb890ec2a46528f57fb5195f3b38cf007f

    SHA512

    01b8df5eae8dbf9d1b5126158e530c569fdfa4777cc637b43830a73ff0f067ecc5c5ffe456e1949f90cb99da6bb5ff419790562c9ed803355637e48f7abe720d

    Download Submit

  • C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe
    Filesize

    872KB

    MD5

    0d68fe1dcf245fb8e8a5f0ce28d97b15

    SHA1

    a40f7ed00bc93c1f134d54712eb71d36ef2fec78

    SHA256

    70d8da143a9c64cf96c0bebfbbc6b2fb890ec2a46528f57fb5195f3b38cf007f

    SHA512

    01b8df5eae8dbf9d1b5126158e530c569fdfa4777cc637b43830a73ff0f067ecc5c5ffe456e1949f90cb99da6bb5ff419790562c9ed803355637e48f7abe720d

    Download Submit

  • \ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe
    Filesize

    872KB

    MD5

    0d68fe1dcf245fb8e8a5f0ce28d97b15

    SHA1

    a40f7ed00bc93c1f134d54712eb71d36ef2fec78

    SHA256

    70d8da143a9c64cf96c0bebfbbc6b2fb890ec2a46528f57fb5195f3b38cf007f

    SHA512

    01b8df5eae8dbf9d1b5126158e530c569fdfa4777cc637b43830a73ff0f067ecc5c5ffe456e1949f90cb99da6bb5ff419790562c9ed803355637e48f7abe720d

    Download Submit

  • \ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe
    Filesize

    872KB

    MD5

    0d68fe1dcf245fb8e8a5f0ce28d97b15

    SHA1

    a40f7ed00bc93c1f134d54712eb71d36ef2fec78

    SHA256

    70d8da143a9c64cf96c0bebfbbc6b2fb890ec2a46528f57fb5195f3b38cf007f

    SHA512

    01b8df5eae8dbf9d1b5126158e530c569fdfa4777cc637b43830a73ff0f067ecc5c5ffe456e1949f90cb99da6bb5ff419790562c9ed803355637e48f7abe720d

    Download Submit

  • memory/580-68-0x0000000001D50000-0x0000000001D8E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/580-60-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/580-62-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/580-63-0x000000000040CD2F-mapping.dmp

    Download

  • memory/580-67-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/580-71-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/580-72-0x0000000001DD0000-0x0000000001E0C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/580-74-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/868-66-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/868-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1352-54-0x00000000757C1000-0x00000000757C3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1352-69-0x0000000003650000-0x00000000036C0000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1352-70-0x0000000003650000-0x00000000036C0000-memory.dmp

    Filesize

    448KB

    Download