Analysis
-
max time kernel
67s -
max time network
69s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
15-12-2022 01:04
Static task
static1
Behavioral task
behavioral1
Sample
285cbd341de6e17b42f1663245a58346.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
285cbd341de6e17b42f1663245a58346.exe
Resource
win10v2004-20220812-en
General
-
Target
285cbd341de6e17b42f1663245a58346.exe
-
Size
6KB
-
MD5
285cbd341de6e17b42f1663245a58346
-
SHA1
5281aa0f428bca4b5eeafda1b7eefc5735490d09
-
SHA256
55466ebc5b9c9e17e47e2af745c118001c1163eaa9aa945760f90b2af3f8362c
-
SHA512
4a66b1409d84376228b4276dd13f0bd42aee0e935755faf01bde72c2b8a2d69da9addd55cf41a3c4a47ca06795f70ee6452976edc10de1b1ccea8705b3cd047d
-
SSDEEP
96:7sfW3+7yyZLiS9co2FhRPr4SNkyfkkWFnU:7/22Fhx4SGQz
Malware Config
Extracted
redline
SPOOFER
20.197.226.40:32619
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/596-70-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/596-71-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/596-72-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/596-73-0x000000000041933E-mapping.dmp family_redline behavioral1/memory/596-75-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/596-77-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
Ynraflilhuhdhncsolreloader.exepid process 2000 Ynraflilhuhdhncsolreloader.exe -
Loads dropped DLL 1 IoCs
Processes:
285cbd341de6e17b42f1663245a58346.exepid process 1488 285cbd341de6e17b42f1663245a58346.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Ynraflilhuhdhncsolreloader.exepid process 2000 Ynraflilhuhdhncsolreloader.exe 2000 Ynraflilhuhdhncsolreloader.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
285cbd341de6e17b42f1663245a58346.exedescription pid process target process PID 1488 set thread context of 596 1488 285cbd341de6e17b42f1663245a58346.exe 285cbd341de6e17b42f1663245a58346.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeYnraflilhuhdhncsolreloader.exe285cbd341de6e17b42f1663245a58346.exepid process 1496 powershell.exe 2000 Ynraflilhuhdhncsolreloader.exe 596 285cbd341de6e17b42f1663245a58346.exe 596 285cbd341de6e17b42f1663245a58346.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
285cbd341de6e17b42f1663245a58346.exepowershell.exe285cbd341de6e17b42f1663245a58346.exedescription pid process Token: SeDebugPrivilege 1488 285cbd341de6e17b42f1663245a58346.exe Token: SeDebugPrivilege 1496 powershell.exe Token: SeDebugPrivilege 596 285cbd341de6e17b42f1663245a58346.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
285cbd341de6e17b42f1663245a58346.exedescription pid process target process PID 1488 wrote to memory of 1496 1488 285cbd341de6e17b42f1663245a58346.exe powershell.exe PID 1488 wrote to memory of 1496 1488 285cbd341de6e17b42f1663245a58346.exe powershell.exe PID 1488 wrote to memory of 1496 1488 285cbd341de6e17b42f1663245a58346.exe powershell.exe PID 1488 wrote to memory of 1496 1488 285cbd341de6e17b42f1663245a58346.exe powershell.exe PID 1488 wrote to memory of 2000 1488 285cbd341de6e17b42f1663245a58346.exe Ynraflilhuhdhncsolreloader.exe PID 1488 wrote to memory of 2000 1488 285cbd341de6e17b42f1663245a58346.exe Ynraflilhuhdhncsolreloader.exe PID 1488 wrote to memory of 2000 1488 285cbd341de6e17b42f1663245a58346.exe Ynraflilhuhdhncsolreloader.exe PID 1488 wrote to memory of 2000 1488 285cbd341de6e17b42f1663245a58346.exe Ynraflilhuhdhncsolreloader.exe PID 1488 wrote to memory of 596 1488 285cbd341de6e17b42f1663245a58346.exe 285cbd341de6e17b42f1663245a58346.exe PID 1488 wrote to memory of 596 1488 285cbd341de6e17b42f1663245a58346.exe 285cbd341de6e17b42f1663245a58346.exe PID 1488 wrote to memory of 596 1488 285cbd341de6e17b42f1663245a58346.exe 285cbd341de6e17b42f1663245a58346.exe PID 1488 wrote to memory of 596 1488 285cbd341de6e17b42f1663245a58346.exe 285cbd341de6e17b42f1663245a58346.exe PID 1488 wrote to memory of 596 1488 285cbd341de6e17b42f1663245a58346.exe 285cbd341de6e17b42f1663245a58346.exe PID 1488 wrote to memory of 596 1488 285cbd341de6e17b42f1663245a58346.exe 285cbd341de6e17b42f1663245a58346.exe PID 1488 wrote to memory of 596 1488 285cbd341de6e17b42f1663245a58346.exe 285cbd341de6e17b42f1663245a58346.exe PID 1488 wrote to memory of 596 1488 285cbd341de6e17b42f1663245a58346.exe 285cbd341de6e17b42f1663245a58346.exe PID 1488 wrote to memory of 596 1488 285cbd341de6e17b42f1663245a58346.exe 285cbd341de6e17b42f1663245a58346.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\285cbd341de6e17b42f1663245a58346.exe"C:\Users\Admin\AppData\Local\Temp\285cbd341de6e17b42f1663245a58346.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe"C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\285cbd341de6e17b42f1663245a58346.exeC:\Users\Admin\AppData\Local\Temp\285cbd341de6e17b42f1663245a58346.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exeFilesize
9.7MB
MD50974f41ccfe913ecca0e02b69e2a48e2
SHA1b96e82a039a2024a8c352b6332a582593628bfba
SHA2567186284537f1f025d1f2e92d6f7b40b0a2de4ecc8a9c5ee96ff90001c38e6a8b
SHA51260bcd8102e535b0d56ef170609ec6f3c5fcf36ab09e4fcfbf82fe92e77124bc6ee19dae7963b1078424d65010b43a741615ba0dbdce582d6402f8adf97303c8e
-
C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exeFilesize
9.7MB
MD50974f41ccfe913ecca0e02b69e2a48e2
SHA1b96e82a039a2024a8c352b6332a582593628bfba
SHA2567186284537f1f025d1f2e92d6f7b40b0a2de4ecc8a9c5ee96ff90001c38e6a8b
SHA51260bcd8102e535b0d56ef170609ec6f3c5fcf36ab09e4fcfbf82fe92e77124bc6ee19dae7963b1078424d65010b43a741615ba0dbdce582d6402f8adf97303c8e
-
\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exeFilesize
9.7MB
MD50974f41ccfe913ecca0e02b69e2a48e2
SHA1b96e82a039a2024a8c352b6332a582593628bfba
SHA2567186284537f1f025d1f2e92d6f7b40b0a2de4ecc8a9c5ee96ff90001c38e6a8b
SHA51260bcd8102e535b0d56ef170609ec6f3c5fcf36ab09e4fcfbf82fe92e77124bc6ee19dae7963b1078424d65010b43a741615ba0dbdce582d6402f8adf97303c8e
-
memory/596-71-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/596-72-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/596-77-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/596-75-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/596-73-0x000000000041933E-mapping.dmp
-
memory/596-70-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/596-68-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/596-67-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1488-55-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/1488-56-0x0000000008E70000-0x0000000009880000-memory.dmpFilesize
10.1MB
-
memory/1488-57-0x0000000000640000-0x00000000006D2000-memory.dmpFilesize
584KB
-
memory/1488-54-0x0000000000F50000-0x0000000000F58000-memory.dmpFilesize
32KB
-
memory/1496-58-0x0000000000000000-mapping.dmp
-
memory/1496-62-0x000000006E9D0000-0x000000006EF7B000-memory.dmpFilesize
5.7MB
-
memory/1496-61-0x000000006E9D0000-0x000000006EF7B000-memory.dmpFilesize
5.7MB
-
memory/1496-60-0x000000006E9D0000-0x000000006EF7B000-memory.dmpFilesize
5.7MB
-
memory/2000-64-0x0000000000000000-mapping.dmp
-
memory/2000-78-0x0000000140000000-0x00000001412A5000-memory.dmpFilesize
18.6MB
-
memory/2000-83-0x0000000140000000-0x00000001412A5000-memory.dmpFilesize
18.6MB
-
memory/2000-84-0x0000000140000000-0x00000001412A5000-memory.dmpFilesize
18.6MB