Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
07-03-2023 12:42
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
General
-
Target
file.exe
-
Size
206KB
-
MD5
307ce80121e9db63857ffbcc6e6f413e
-
SHA1
9721de97ac9d1ff4b6224fff96700acdc2a51984
-
SHA256
70b1cf50a59c123dacf50e8f9356e0b65c850e05aa2511bb8d5556b87ce12f8e
-
SHA512
fc3ec1a3c8acf148051d74bec02caf5ffdd7428d271ce7f56eed8a2b78ef7014c69300d1c704861370b255e361b35daade8fb3da0dcd914d462311e5ce171961
-
SSDEEP
6144:PYa6O699YTGIehAlmP4+LOmt4qTGu9E2kw3mP:PYA6OpeK+LO2TT/91k/P
Malware Config
Extracted
redline
cheat
193.47.61.37:38369
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1944-69-0x0000000000400000-0x000000000042F000-memory.dmp family_redline behavioral1/memory/1944-73-0x0000000000400000-0x000000000042F000-memory.dmp family_redline behavioral1/memory/1944-74-0x0000000000230000-0x000000000024E000-memory.dmp family_redline behavioral1/memory/1944-75-0x0000000000400000-0x000000000042F000-memory.dmp family_redline behavioral1/memory/1944-164-0x0000000000400000-0x000000000042F000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1944-69-0x0000000000400000-0x000000000042F000-memory.dmp family_sectoprat behavioral1/memory/1944-73-0x0000000000400000-0x000000000042F000-memory.dmp family_sectoprat behavioral1/memory/1944-74-0x0000000000230000-0x000000000024E000-memory.dmp family_sectoprat behavioral1/memory/1944-75-0x0000000000400000-0x000000000042F000-memory.dmp family_sectoprat behavioral1/memory/1944-164-0x0000000000400000-0x000000000042F000-memory.dmp family_sectoprat -
Executes dropped EXE 2 IoCs
Processes:
rrgfoacgb.exerrgfoacgb.exepid process 1316 rrgfoacgb.exe 1944 rrgfoacgb.exe -
Loads dropped DLL 3 IoCs
Processes:
file.exerrgfoacgb.exepid process 1400 file.exe 1400 file.exe 1316 rrgfoacgb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rrgfoacgb.exedescription pid process target process PID 1316 set thread context of 1944 1316 rrgfoacgb.exe rrgfoacgb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rrgfoacgb.exepid process 1944 rrgfoacgb.exe 1944 rrgfoacgb.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rrgfoacgb.exepid process 1316 rrgfoacgb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rrgfoacgb.exedescription pid process Token: SeDebugPrivilege 1944 rrgfoacgb.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exerrgfoacgb.exedescription pid process target process PID 1400 wrote to memory of 1316 1400 file.exe rrgfoacgb.exe PID 1400 wrote to memory of 1316 1400 file.exe rrgfoacgb.exe PID 1400 wrote to memory of 1316 1400 file.exe rrgfoacgb.exe PID 1400 wrote to memory of 1316 1400 file.exe rrgfoacgb.exe PID 1316 wrote to memory of 1944 1316 rrgfoacgb.exe rrgfoacgb.exe PID 1316 wrote to memory of 1944 1316 rrgfoacgb.exe rrgfoacgb.exe PID 1316 wrote to memory of 1944 1316 rrgfoacgb.exe rrgfoacgb.exe PID 1316 wrote to memory of 1944 1316 rrgfoacgb.exe rrgfoacgb.exe PID 1316 wrote to memory of 1944 1316 rrgfoacgb.exe rrgfoacgb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rrgfoacgb.exe"C:\Users\Admin\AppData\Local\Temp\rrgfoacgb.exe" C:\Users\Admin\AppData\Local\Temp\sfrwbk.h2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rrgfoacgb.exe"C:\Users\Admin\AppData\Local\Temp\rrgfoacgb.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rrgfoacgb.exeFilesize
6KB
MD5cbf7a3da7ae08e09c502c0c3d8f53341
SHA142b21a5e6b898adf8d3f7e6a86ef708528625d72
SHA2568ec95a918373228d8ed14db19a1e4c546ebdb03245340036dd2b06214ee3185f
SHA5124468dc1f1b67da1736cf6e9236c628f44ff7af025cb0364c734c55c6689ec2395c6c60efc89e67bd62e759e6f258515a5ce12703844779b2941fa22d98aff665
-
C:\Users\Admin\AppData\Local\Temp\rrgfoacgb.exeFilesize
6KB
MD5cbf7a3da7ae08e09c502c0c3d8f53341
SHA142b21a5e6b898adf8d3f7e6a86ef708528625d72
SHA2568ec95a918373228d8ed14db19a1e4c546ebdb03245340036dd2b06214ee3185f
SHA5124468dc1f1b67da1736cf6e9236c628f44ff7af025cb0364c734c55c6689ec2395c6c60efc89e67bd62e759e6f258515a5ce12703844779b2941fa22d98aff665
-
C:\Users\Admin\AppData\Local\Temp\rrgfoacgb.exeFilesize
6KB
MD5cbf7a3da7ae08e09c502c0c3d8f53341
SHA142b21a5e6b898adf8d3f7e6a86ef708528625d72
SHA2568ec95a918373228d8ed14db19a1e4c546ebdb03245340036dd2b06214ee3185f
SHA5124468dc1f1b67da1736cf6e9236c628f44ff7af025cb0364c734c55c6689ec2395c6c60efc89e67bd62e759e6f258515a5ce12703844779b2941fa22d98aff665
-
C:\Users\Admin\AppData\Local\Temp\rrgfoacgb.exeFilesize
6KB
MD5cbf7a3da7ae08e09c502c0c3d8f53341
SHA142b21a5e6b898adf8d3f7e6a86ef708528625d72
SHA2568ec95a918373228d8ed14db19a1e4c546ebdb03245340036dd2b06214ee3185f
SHA5124468dc1f1b67da1736cf6e9236c628f44ff7af025cb0364c734c55c6689ec2395c6c60efc89e67bd62e759e6f258515a5ce12703844779b2941fa22d98aff665
-
C:\Users\Admin\AppData\Local\Temp\sfrwbk.hFilesize
5KB
MD5539dc88b476d838ab32cffbbd7f33119
SHA17984f24b9f4c24227bd21d5f0f6229892baf5276
SHA2567df8cd18e6c94fb288b7286bd857a72b1b871e6e37a3be89184bcc9ab5bc2f92
SHA51214099ad263918e9c1af855668e1f5297c103959a90d6456206b0732c5d5800fd82f79a7cc634abaa6799754a2f759f030d254097fe68c72cdcb4a7919824ced0
-
C:\Users\Admin\AppData\Local\Temp\tmp45D9.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp461E.tmpFilesize
92KB
MD5d6492f228d1417a459765d7b9657cbba
SHA1ef73426c3634a16ac6c15803633e77035abd032c
SHA25675fbdce4223e0df5805b3fddc158d6c955b34b2112ed83d9967e731cc9f8cfb7
SHA51250c5c6955ac90ccc1602bc32fc2d03808f42fbde7be46c681d7b7e99eb4cfe222a868c6c73728e4afce1b5904d7b2148c29ed5b177c38a5c1bfaf047e86b5613
-
C:\Users\Admin\AppData\Local\Temp\ujpwrdckn.muFilesize
193KB
MD5af97c7480ebf09c4f55bdfd2d151be6e
SHA124acb91a4245db415b380d68a2718c74496673cb
SHA256b1f419510b5afd191caff80bcfd3d7df728e9ada37f173b10dcc0edfa61f5b9d
SHA512673f308a3876aad3839046a37242bef07d9717ec941bbacf27c3b0000868a7ec88eb8964982d1dd79557ecb30d5a361558691ab25729660b8ceac77a0027ff8e
-
\Users\Admin\AppData\Local\Temp\rrgfoacgb.exeFilesize
6KB
MD5cbf7a3da7ae08e09c502c0c3d8f53341
SHA142b21a5e6b898adf8d3f7e6a86ef708528625d72
SHA2568ec95a918373228d8ed14db19a1e4c546ebdb03245340036dd2b06214ee3185f
SHA5124468dc1f1b67da1736cf6e9236c628f44ff7af025cb0364c734c55c6689ec2395c6c60efc89e67bd62e759e6f258515a5ce12703844779b2941fa22d98aff665
-
\Users\Admin\AppData\Local\Temp\rrgfoacgb.exeFilesize
6KB
MD5cbf7a3da7ae08e09c502c0c3d8f53341
SHA142b21a5e6b898adf8d3f7e6a86ef708528625d72
SHA2568ec95a918373228d8ed14db19a1e4c546ebdb03245340036dd2b06214ee3185f
SHA5124468dc1f1b67da1736cf6e9236c628f44ff7af025cb0364c734c55c6689ec2395c6c60efc89e67bd62e759e6f258515a5ce12703844779b2941fa22d98aff665
-
\Users\Admin\AppData\Local\Temp\rrgfoacgb.exeFilesize
6KB
MD5cbf7a3da7ae08e09c502c0c3d8f53341
SHA142b21a5e6b898adf8d3f7e6a86ef708528625d72
SHA2568ec95a918373228d8ed14db19a1e4c546ebdb03245340036dd2b06214ee3185f
SHA5124468dc1f1b67da1736cf6e9236c628f44ff7af025cb0364c734c55c6689ec2395c6c60efc89e67bd62e759e6f258515a5ce12703844779b2941fa22d98aff665
-
memory/1944-69-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1944-76-0x0000000004830000-0x0000000004870000-memory.dmpFilesize
256KB
-
memory/1944-75-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1944-74-0x0000000000230000-0x000000000024E000-memory.dmpFilesize
120KB
-
memory/1944-73-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1944-164-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB