Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-02-2023 03:59
Static task
static1
Behavioral task
behavioral1
Sample
d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe
Resource
win10-20220901-en
General
-
Target
d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe
-
Size
519KB
-
MD5
5be1b03ddf789ab88033ea07c9fef3bb
-
SHA1
2ce884cf3c65cf4975521bf64ad2022b6eba2f51
-
SHA256
d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7
-
SHA512
512c0c648880e2bccb2a25e4e168e2f9ffe731518fd3c93d1a24ee13517a83a0e80f3a9683be92ee2802dfa423800c85b9e7b5bb9f9da20bb07a42822847c698
-
SSDEEP
12288:VMrFy90nJPPR1hj43dRJKVu1S45CLmYRj:YyIhLj4NioUmq
Malware Config
Extracted
redline
roma
193.233.20.7:4131
-
auth_value
f099c2cf92834dbc554a94e1456cf576
Extracted
redline
new1
176.113.115.16:4132
-
auth_value
ac44cbde6633acc9d67419c7278d5c70
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1928-62-0x0000000002180000-0x00000000021C6000-memory.dmp family_redline behavioral1/memory/1928-63-0x00000000021C0000-0x0000000002204000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
Processes:
bBif.exenewcr.exepid process 1928 bBif.exe 1076 newcr.exe -
Loads dropped DLL 6 IoCs
Processes:
d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exebBif.exenewcr.exepid process 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe 1928 bBif.exe 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe 1076 newcr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
newcr.exedescription pid process target process PID 1076 set thread context of 548 1076 newcr.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
bBif.exeAppLaunch.exepid process 1928 bBif.exe 1928 bBif.exe 548 AppLaunch.exe 548 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bBif.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 1928 bBif.exe Token: SeDebugPrivilege 548 AppLaunch.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exenewcr.exedescription pid process target process PID 1112 wrote to memory of 1928 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe bBif.exe PID 1112 wrote to memory of 1928 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe bBif.exe PID 1112 wrote to memory of 1928 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe bBif.exe PID 1112 wrote to memory of 1928 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe bBif.exe PID 1112 wrote to memory of 1928 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe bBif.exe PID 1112 wrote to memory of 1928 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe bBif.exe PID 1112 wrote to memory of 1928 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe bBif.exe PID 1112 wrote to memory of 1076 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe newcr.exe PID 1112 wrote to memory of 1076 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe newcr.exe PID 1112 wrote to memory of 1076 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe newcr.exe PID 1112 wrote to memory of 1076 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe newcr.exe PID 1112 wrote to memory of 1076 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe newcr.exe PID 1112 wrote to memory of 1076 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe newcr.exe PID 1112 wrote to memory of 1076 1112 d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe newcr.exe PID 1076 wrote to memory of 548 1076 newcr.exe AppLaunch.exe PID 1076 wrote to memory of 548 1076 newcr.exe AppLaunch.exe PID 1076 wrote to memory of 548 1076 newcr.exe AppLaunch.exe PID 1076 wrote to memory of 548 1076 newcr.exe AppLaunch.exe PID 1076 wrote to memory of 548 1076 newcr.exe AppLaunch.exe PID 1076 wrote to memory of 548 1076 newcr.exe AppLaunch.exe PID 1076 wrote to memory of 548 1076 newcr.exe AppLaunch.exe PID 1076 wrote to memory of 548 1076 newcr.exe AppLaunch.exe PID 1076 wrote to memory of 548 1076 newcr.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe"C:\Users\Admin\AppData\Local\Temp\d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bBif.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bBif.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\newcr.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\newcr.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bBif.exeFilesize
305KB
MD508f88a52e090ec6ca798b55e316da786
SHA1268822839ee5e27ed06b6d441362de20ae3deef6
SHA256951d69242083538a766034ad06199be39f9dfe3fb3b8ae6b2c4113c730cb2f8c
SHA512a6eee3bbd3fe2bfffffceab32cd823319c50bd886b2e69feb3b051a452a7ec8f0c8720ce08b020503b3a59329529a5e61e911b0ff2b94da845640b8ff76bae81
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bBif.exeFilesize
305KB
MD508f88a52e090ec6ca798b55e316da786
SHA1268822839ee5e27ed06b6d441362de20ae3deef6
SHA256951d69242083538a766034ad06199be39f9dfe3fb3b8ae6b2c4113c730cb2f8c
SHA512a6eee3bbd3fe2bfffffceab32cd823319c50bd886b2e69feb3b051a452a7ec8f0c8720ce08b020503b3a59329529a5e61e911b0ff2b94da845640b8ff76bae81
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\newcr.exeFilesize
283KB
MD577d5a396629251570dc77efd9d528e5d
SHA1bd3c5750bfe7e46c96ab3b1b35c59251a3172564
SHA256c63b14e787d2cad47669489bb2072157996c7b9d629ed24fae960234271a949d
SHA51237a9a6483c1e5b3b97889da9542d957b83db4f6902aa4f322565ff41248ecf86b264d33db9e3962c3aa2fd7cb4e2d6bbc78486e46018f663c2c59d20dc314476
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\newcr.exeFilesize
283KB
MD577d5a396629251570dc77efd9d528e5d
SHA1bd3c5750bfe7e46c96ab3b1b35c59251a3172564
SHA256c63b14e787d2cad47669489bb2072157996c7b9d629ed24fae960234271a949d
SHA51237a9a6483c1e5b3b97889da9542d957b83db4f6902aa4f322565ff41248ecf86b264d33db9e3962c3aa2fd7cb4e2d6bbc78486e46018f663c2c59d20dc314476
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\bBif.exeFilesize
305KB
MD508f88a52e090ec6ca798b55e316da786
SHA1268822839ee5e27ed06b6d441362de20ae3deef6
SHA256951d69242083538a766034ad06199be39f9dfe3fb3b8ae6b2c4113c730cb2f8c
SHA512a6eee3bbd3fe2bfffffceab32cd823319c50bd886b2e69feb3b051a452a7ec8f0c8720ce08b020503b3a59329529a5e61e911b0ff2b94da845640b8ff76bae81
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\bBif.exeFilesize
305KB
MD508f88a52e090ec6ca798b55e316da786
SHA1268822839ee5e27ed06b6d441362de20ae3deef6
SHA256951d69242083538a766034ad06199be39f9dfe3fb3b8ae6b2c4113c730cb2f8c
SHA512a6eee3bbd3fe2bfffffceab32cd823319c50bd886b2e69feb3b051a452a7ec8f0c8720ce08b020503b3a59329529a5e61e911b0ff2b94da845640b8ff76bae81
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\bBif.exeFilesize
305KB
MD508f88a52e090ec6ca798b55e316da786
SHA1268822839ee5e27ed06b6d441362de20ae3deef6
SHA256951d69242083538a766034ad06199be39f9dfe3fb3b8ae6b2c4113c730cb2f8c
SHA512a6eee3bbd3fe2bfffffceab32cd823319c50bd886b2e69feb3b051a452a7ec8f0c8720ce08b020503b3a59329529a5e61e911b0ff2b94da845640b8ff76bae81
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\newcr.exeFilesize
283KB
MD577d5a396629251570dc77efd9d528e5d
SHA1bd3c5750bfe7e46c96ab3b1b35c59251a3172564
SHA256c63b14e787d2cad47669489bb2072157996c7b9d629ed24fae960234271a949d
SHA51237a9a6483c1e5b3b97889da9542d957b83db4f6902aa4f322565ff41248ecf86b264d33db9e3962c3aa2fd7cb4e2d6bbc78486e46018f663c2c59d20dc314476
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\newcr.exeFilesize
283KB
MD577d5a396629251570dc77efd9d528e5d
SHA1bd3c5750bfe7e46c96ab3b1b35c59251a3172564
SHA256c63b14e787d2cad47669489bb2072157996c7b9d629ed24fae960234271a949d
SHA51237a9a6483c1e5b3b97889da9542d957b83db4f6902aa4f322565ff41248ecf86b264d33db9e3962c3aa2fd7cb4e2d6bbc78486e46018f663c2c59d20dc314476
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\newcr.exeFilesize
283KB
MD577d5a396629251570dc77efd9d528e5d
SHA1bd3c5750bfe7e46c96ab3b1b35c59251a3172564
SHA256c63b14e787d2cad47669489bb2072157996c7b9d629ed24fae960234271a949d
SHA51237a9a6483c1e5b3b97889da9542d957b83db4f6902aa4f322565ff41248ecf86b264d33db9e3962c3aa2fd7cb4e2d6bbc78486e46018f663c2c59d20dc314476
-
memory/548-85-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/548-86-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/548-84-0x000000000041B596-mapping.dmp
-
memory/548-79-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/548-77-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1076-76-0x0000000000163000-0x0000000000165000-memory.dmpFilesize
8KB
-
memory/1076-71-0x0000000000000000-mapping.dmp
-
memory/1112-54-0x0000000076031000-0x0000000076033000-memory.dmpFilesize
8KB
-
memory/1928-65-0x00000000003A0000-0x00000000003EB000-memory.dmpFilesize
300KB
-
memory/1928-57-0x0000000000000000-mapping.dmp
-
memory/1928-62-0x0000000002180000-0x00000000021C6000-memory.dmpFilesize
280KB
-
memory/1928-63-0x00000000021C0000-0x0000000002204000-memory.dmpFilesize
272KB
-
memory/1928-64-0x00000000002DF000-0x000000000030E000-memory.dmpFilesize
188KB
-
memory/1928-68-0x0000000000400000-0x000000000057B000-memory.dmpFilesize
1.5MB
-
memory/1928-67-0x00000000002DF000-0x000000000030E000-memory.dmpFilesize
188KB
-
memory/1928-66-0x0000000000400000-0x000000000057B000-memory.dmpFilesize
1.5MB