Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
15-11-2022 16:13
Static task
static1
Behavioral task
behavioral1
Sample
9e0f5e7f6f3bf3647948f39e795f1ff6.exe
Resource
win7-20221111-en
General
-
Target
9e0f5e7f6f3bf3647948f39e795f1ff6.exe
-
Size
5.3MB
-
MD5
9e0f5e7f6f3bf3647948f39e795f1ff6
-
SHA1
dc6d84444138c88b1429a8aad6fe04f7f7ef71b5
-
SHA256
68db7ba636a775b8ed355d9b3f4a143fa4c5b080eee5c4c47ad3dc4b982f44d0
-
SHA512
dd2bbf1687c86ac001ef1f67e4f07b6e8406fe70bf68bff220a37cf32a5b618be068226fdb6e043704d65412f1fd996491b8a09cb74432db5c37f9284af1845b
-
SSDEEP
49152:sPFJCvLqOaSTK5ISawpVpVliC8Tkx23fmAmcViw:sPFsjqOaSFUOfmeiw
Malware Config
Extracted
redline
AKASHA
77.73.134.54:19123
-
auth_value
c8eb531f5a0c4b089ceefdcdfcce06d9
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/580-68-0x0000000001D50000-0x0000000001D8E000-memory.dmp family_redline behavioral1/memory/1352-69-0x0000000003650000-0x00000000036C0000-memory.dmp family_redline behavioral1/memory/580-72-0x0000000001DD0000-0x0000000001E0C000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
Processes:
elclass.exeelclass.exepid process 868 elclass.exe 580 elclass.exe -
Loads dropped DLL 2 IoCs
Processes:
9e0f5e7f6f3bf3647948f39e795f1ff6.exepid process 1352 9e0f5e7f6f3bf3647948f39e795f1ff6.exe 1352 9e0f5e7f6f3bf3647948f39e795f1ff6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
elclass.exedescription pid process target process PID 868 set thread context of 580 868 elclass.exe elclass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
elclass.exepid process 580 elclass.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
elclass.exedescription pid process Token: SeDebugPrivilege 580 elclass.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
9e0f5e7f6f3bf3647948f39e795f1ff6.exeelclass.exedescription pid process target process PID 1352 wrote to memory of 868 1352 9e0f5e7f6f3bf3647948f39e795f1ff6.exe elclass.exe PID 1352 wrote to memory of 868 1352 9e0f5e7f6f3bf3647948f39e795f1ff6.exe elclass.exe PID 1352 wrote to memory of 868 1352 9e0f5e7f6f3bf3647948f39e795f1ff6.exe elclass.exe PID 1352 wrote to memory of 868 1352 9e0f5e7f6f3bf3647948f39e795f1ff6.exe elclass.exe PID 868 wrote to memory of 580 868 elclass.exe elclass.exe PID 868 wrote to memory of 580 868 elclass.exe elclass.exe PID 868 wrote to memory of 580 868 elclass.exe elclass.exe PID 868 wrote to memory of 580 868 elclass.exe elclass.exe PID 868 wrote to memory of 580 868 elclass.exe elclass.exe PID 868 wrote to memory of 580 868 elclass.exe elclass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e0f5e7f6f3bf3647948f39e795f1ff6.exe"C:\Users\Admin\AppData\Local\Temp\9e0f5e7f6f3bf3647948f39e795f1ff6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe"C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:868 -
C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe"C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD50d68fe1dcf245fb8e8a5f0ce28d97b15
SHA1a40f7ed00bc93c1f134d54712eb71d36ef2fec78
SHA25670d8da143a9c64cf96c0bebfbbc6b2fb890ec2a46528f57fb5195f3b38cf007f
SHA51201b8df5eae8dbf9d1b5126158e530c569fdfa4777cc637b43830a73ff0f067ecc5c5ffe456e1949f90cb99da6bb5ff419790562c9ed803355637e48f7abe720d
-
Filesize
872KB
MD50d68fe1dcf245fb8e8a5f0ce28d97b15
SHA1a40f7ed00bc93c1f134d54712eb71d36ef2fec78
SHA25670d8da143a9c64cf96c0bebfbbc6b2fb890ec2a46528f57fb5195f3b38cf007f
SHA51201b8df5eae8dbf9d1b5126158e530c569fdfa4777cc637b43830a73ff0f067ecc5c5ffe456e1949f90cb99da6bb5ff419790562c9ed803355637e48f7abe720d
-
Filesize
872KB
MD50d68fe1dcf245fb8e8a5f0ce28d97b15
SHA1a40f7ed00bc93c1f134d54712eb71d36ef2fec78
SHA25670d8da143a9c64cf96c0bebfbbc6b2fb890ec2a46528f57fb5195f3b38cf007f
SHA51201b8df5eae8dbf9d1b5126158e530c569fdfa4777cc637b43830a73ff0f067ecc5c5ffe456e1949f90cb99da6bb5ff419790562c9ed803355637e48f7abe720d
-
Filesize
872KB
MD50d68fe1dcf245fb8e8a5f0ce28d97b15
SHA1a40f7ed00bc93c1f134d54712eb71d36ef2fec78
SHA25670d8da143a9c64cf96c0bebfbbc6b2fb890ec2a46528f57fb5195f3b38cf007f
SHA51201b8df5eae8dbf9d1b5126158e530c569fdfa4777cc637b43830a73ff0f067ecc5c5ffe456e1949f90cb99da6bb5ff419790562c9ed803355637e48f7abe720d
-
Filesize
872KB
MD50d68fe1dcf245fb8e8a5f0ce28d97b15
SHA1a40f7ed00bc93c1f134d54712eb71d36ef2fec78
SHA25670d8da143a9c64cf96c0bebfbbc6b2fb890ec2a46528f57fb5195f3b38cf007f
SHA51201b8df5eae8dbf9d1b5126158e530c569fdfa4777cc637b43830a73ff0f067ecc5c5ffe456e1949f90cb99da6bb5ff419790562c9ed803355637e48f7abe720d