Overview

overview

10

Static

static

285cbd341d...46.exe

windows7-x64

10

285cbd341d...46.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    69s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2022 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    285cbd341de6e17b42f1663245a58346.exe

  • Size

    6KB

  • MD5

    285cbd341de6e17b42f1663245a58346

  • SHA1

    5281aa0f428bca4b5eeafda1b7eefc5735490d09

  • SHA256

    55466ebc5b9c9e17e47e2af745c118001c1163eaa9aa945760f90b2af3f8362c

  • SHA512

    4a66b1409d84376228b4276dd13f0bd42aee0e935755faf01bde72c2b8a2d69da9addd55cf41a3c4a47ca06795f70ee6452976edc10de1b1ccea8705b3cd047d

  • SSDEEP

    96:7sfW3+7yyZLiS9co2FhRPr4SNkyfkkWFnU:7/22Fhx4SGQz

Score
10/10
redlinespooferdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

SPOOFER

C2

20.197.226.40:32619

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\285cbd341de6e17b42f1663245a58346.exe
    "C:\Users\Admin\AppData\Local\Temp\285cbd341de6e17b42f1663245a58346.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1496
    • C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe
      "C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2000
    • C:\Users\Admin\AppData\Local\Temp\285cbd341de6e17b42f1663245a58346.exe
      C:\Users\Admin\AppData\Local\Temp\285cbd341de6e17b42f1663245a58346.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe
    Filesize

    9.7MB

    MD5

    0974f41ccfe913ecca0e02b69e2a48e2

    SHA1

    b96e82a039a2024a8c352b6332a582593628bfba

    SHA256

    7186284537f1f025d1f2e92d6f7b40b0a2de4ecc8a9c5ee96ff90001c38e6a8b

    SHA512

    60bcd8102e535b0d56ef170609ec6f3c5fcf36ab09e4fcfbf82fe92e77124bc6ee19dae7963b1078424d65010b43a741615ba0dbdce582d6402f8adf97303c8e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe
    Filesize

    9.7MB

    MD5

    0974f41ccfe913ecca0e02b69e2a48e2

    SHA1

    b96e82a039a2024a8c352b6332a582593628bfba

    SHA256

    7186284537f1f025d1f2e92d6f7b40b0a2de4ecc8a9c5ee96ff90001c38e6a8b

    SHA512

    60bcd8102e535b0d56ef170609ec6f3c5fcf36ab09e4fcfbf82fe92e77124bc6ee19dae7963b1078424d65010b43a741615ba0dbdce582d6402f8adf97303c8e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe
    Filesize

    9.7MB

    MD5

    0974f41ccfe913ecca0e02b69e2a48e2

    SHA1

    b96e82a039a2024a8c352b6332a582593628bfba

    SHA256

    7186284537f1f025d1f2e92d6f7b40b0a2de4ecc8a9c5ee96ff90001c38e6a8b

    SHA512

    60bcd8102e535b0d56ef170609ec6f3c5fcf36ab09e4fcfbf82fe92e77124bc6ee19dae7963b1078424d65010b43a741615ba0dbdce582d6402f8adf97303c8e

    Download Submit
  • memory/596-71-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/596-72-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/596-77-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/596-75-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/596-73-0x000000000041933E-mapping.dmp
    Download
  • memory/596-70-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/596-68-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/596-67-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1488-55-0x0000000075D01000-0x0000000075D03000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1488-56-0x0000000008E70000-0x0000000009880000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1488-57-0x0000000000640000-0x00000000006D2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1488-54-0x0000000000F50000-0x0000000000F58000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1496-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1496-62-0x000000006E9D0000-0x000000006EF7B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1496-61-0x000000006E9D0000-0x000000006EF7B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1496-60-0x000000006E9D0000-0x000000006EF7B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2000-64-0x0000000000000000-mapping.dmp
    Download
  • memory/2000-78-0x0000000140000000-0x00000001412A5000-memory.dmp
    Filesize

    18.6MB

    Download
  • memory/2000-83-0x0000000140000000-0x00000001412A5000-memory.dmp
    Filesize

    18.6MB

    Download
  • memory/2000-84-0x0000000140000000-0x00000001412A5000-memory.dmp
    Filesize

    18.6MB

    Download