Overview

overview

10

Static

static

1

NordVPN Ch...v2.exe

windows7-x64

10

NordVPN Ch...v2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    20s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    11-03-2023 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NordVPN Checker by xRisky v2/NordVPN Checker by xRisky v2/NordVPN Checker by xRisky v2.exe

  • Size

    3.6MB

  • MD5

    9df94731f9ac86b4f1402c15b84a3578

  • SHA1

    5159c2b5714f441620e28ead76b1c0660c7e124c

  • SHA256

    dd4fc338c35dba00d865ebf26c18f892f321bc2e77564109e389ea01eaf77fd0

  • SHA512

    c3e6cc529f811d36c79c001b42d283984bda9da42242ea63b118ac546a561f301f72c43fcb46bed7a16470d2eb08744009ea23e80f24b544dca3d7dbb448f2c1

  • SSDEEP

    49152:KsxJtIT8zzAiAua9pByJcjCI1imWYVBqSLIaisl0ilx5MVuCzFIFIuRZ97F:BxJG9GemI1i8kkCnFI

Score
10/10
redlineagilenetinfostealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Obfuscated with Agile.Net obfuscator 4 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2.exe
    "C:\Users\Admin\AppData\Local\Temp\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\AppData\Roaming\Google Chrome.exe
      "C:\Users\Admin\AppData\Roaming\Google Chrome.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1748
    • C:\Users\Admin\AppData\Local\Temp\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2[x86].exe
      "C:\Users\Admin\AppData\Local\Temp\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2[x86].exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2[x86].exe
    Filesize

    3.2MB

    MD5

    97cea94128fb016302f1a0d54143dba5

    SHA1

    bc25d61cbbb607207ca6361b0694584c6369ec26

    SHA256

    c5ad584af783dc9a379679db534564145a6b329b89a5681c5c30bc9fb4ae3f96

    SHA512

    1dd2b3e0617d8d3c4670f06ee0e7c3ed8f2e0a061c8bce6919271c29871203eba4590f7907e416c138df28afc1715f9187a1db427ca3741613924afb4bd240e7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2[x86].exe
    Filesize

    3.2MB

    MD5

    97cea94128fb016302f1a0d54143dba5

    SHA1

    bc25d61cbbb607207ca6361b0694584c6369ec26

    SHA256

    c5ad584af783dc9a379679db534564145a6b329b89a5681c5c30bc9fb4ae3f96

    SHA512

    1dd2b3e0617d8d3c4670f06ee0e7c3ed8f2e0a061c8bce6919271c29871203eba4590f7907e416c138df28afc1715f9187a1db427ca3741613924afb4bd240e7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Google Chrome.exe
    Filesize

    403KB

    MD5

    f903148b5a0c07db2c61ce05fa5c7db2

    SHA1

    b636a8bf5769f7fe27c263eab54026ac03732ad4

    SHA256

    2999cb6a5b4a9d38c8f85c1b24a6574147c12c90b4a36e5a81c7aa9c7eecfe3d

    SHA512

    3abb409a61e167f60af116cd2191435bdc7876ce5483905bd944a01dec2c41e5736ae4ffeb628ea74eeef205e7b5e0c0e04520b58e14aa3240bf9a2de0dfd9b9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Google Chrome.exe
    Filesize

    403KB

    MD5

    f903148b5a0c07db2c61ce05fa5c7db2

    SHA1

    b636a8bf5769f7fe27c263eab54026ac03732ad4

    SHA256

    2999cb6a5b4a9d38c8f85c1b24a6574147c12c90b4a36e5a81c7aa9c7eecfe3d

    SHA512

    3abb409a61e167f60af116cd2191435bdc7876ce5483905bd944a01dec2c41e5736ae4ffeb628ea74eeef205e7b5e0c0e04520b58e14aa3240bf9a2de0dfd9b9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2[x86].exe
    Filesize

    3.2MB

    MD5

    97cea94128fb016302f1a0d54143dba5

    SHA1

    bc25d61cbbb607207ca6361b0694584c6369ec26

    SHA256

    c5ad584af783dc9a379679db534564145a6b329b89a5681c5c30bc9fb4ae3f96

    SHA512

    1dd2b3e0617d8d3c4670f06ee0e7c3ed8f2e0a061c8bce6919271c29871203eba4590f7907e416c138df28afc1715f9187a1db427ca3741613924afb4bd240e7

    Download Submit
  • \Users\Admin\AppData\Local\Temp\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2[x86].exe
    Filesize

    3.2MB

    MD5

    97cea94128fb016302f1a0d54143dba5

    SHA1

    bc25d61cbbb607207ca6361b0694584c6369ec26

    SHA256

    c5ad584af783dc9a379679db534564145a6b329b89a5681c5c30bc9fb4ae3f96

    SHA512

    1dd2b3e0617d8d3c4670f06ee0e7c3ed8f2e0a061c8bce6919271c29871203eba4590f7907e416c138df28afc1715f9187a1db427ca3741613924afb4bd240e7

    Download Submit
  • \Users\Admin\AppData\Roaming\Google Chrome.exe
    Filesize

    403KB

    MD5

    f903148b5a0c07db2c61ce05fa5c7db2

    SHA1

    b636a8bf5769f7fe27c263eab54026ac03732ad4

    SHA256

    2999cb6a5b4a9d38c8f85c1b24a6574147c12c90b4a36e5a81c7aa9c7eecfe3d

    SHA512

    3abb409a61e167f60af116cd2191435bdc7876ce5483905bd944a01dec2c41e5736ae4ffeb628ea74eeef205e7b5e0c0e04520b58e14aa3240bf9a2de0dfd9b9

    Download Submit
  • memory/1032-82-0x0000000004640000-0x0000000004664000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1032-86-0x0000000004AE0000-0x0000000004B20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1032-77-0x0000000004AE0000-0x0000000004B20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1032-79-0x0000000004AE0000-0x0000000004B20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1032-78-0x0000000005300000-0x000000000566C000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1032-81-0x0000000004AE0000-0x0000000004B20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1032-74-0x0000000005300000-0x000000000566C000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1032-72-0x0000000005300000-0x000000000566C000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1032-83-0x00000000082B0000-0x0000000008304000-memory.dmp
    Filesize

    336KB

    Download
  • memory/1032-68-0x0000000005300000-0x0000000005674000-memory.dmp
    Filesize

    3.5MB

    Download
  • memory/1032-95-0x0000000004AE0000-0x0000000004B20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1032-94-0x0000000004AE0000-0x0000000004B20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1032-87-0x0000000004AE0000-0x0000000004B20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1032-88-0x0000000000400000-0x00000000007BE000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/1032-89-0x0000000004AE0000-0x0000000004B20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1032-93-0x0000000004AE0000-0x0000000004B20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1032-91-0x0000000004AE0000-0x0000000004B20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1032-92-0x0000000004AE0000-0x0000000004B20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1748-90-0x0000000004BB0000-0x0000000004BF0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1748-75-0x0000000004BB0000-0x0000000004BF0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1748-67-0x0000000001300000-0x000000000136A000-memory.dmp
    Filesize

    424KB

    Download