Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 05:33
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230220-en
General
-
Target
tmp.exe
-
Size
1.6MB
-
MD5
e5f500ae2fdb4ab9f6be5475964ec5c7
-
SHA1
a9227afc32e5ce7722c8927f4c3f8c7b26da9923
-
SHA256
bc3806f66884b0cca0e04cd6ec09f391f5ea3855e3ce6bd621e04706ece5e6ed
-
SHA512
768916e73c77bed2394e428621ae39521f8ebcff2a4b367f9ae1510165aacb1f29a04953845a8026f3f5ee10123cadbf929e3b2ed0117f6f3b8c9d13e681c366
-
SSDEEP
49152:OhWTfPjDurtiIIMmk7Shxtj+EXQW054yobLhT:rDXInmGShDJXQW054yqhT
Malware Config
Extracted
redline
mix1
80.85.157.78:13331
-
auth_value
4f9b36b8bfdf2607d3f0e623584037e2
Extracted
vidar
3.1
ba1fc89d9f7df84dadf34886aabb246c
https://t.me/owned001
http://65.109.236.2:80
https://t.me/tabootalks
https://steamcommunity.com/profiles/76561199472266392
http://135.181.26.183:80
-
profile_id_v2
ba1fc89d9f7df84dadf34886aabb246c
-
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 OPR/91.0.4516.79
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
tmp.exedescription pid process target process PID 1468 created 2424 1468 tmp.exe taskhostw.exe -
Loads dropped DLL 3 IoCs
Processes:
tmp.exefontview.exepid process 1468 tmp.exe 1180 fontview.exe 1180 fontview.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 1468 set thread context of 5080 1468 tmp.exe ngentask.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2068 1180 WerFault.exe fontview.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
fontview.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fontview.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fontview.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
tmp.exengentask.exefontview.exepid process 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 5080 ngentask.exe 5080 ngentask.exe 1180 fontview.exe 1180 fontview.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ngentask.exedescription pid process Token: SeDebugPrivilege 5080 ngentask.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
tmp.exedescription pid process target process PID 1468 wrote to memory of 5000 1468 tmp.exe ngentask.exe PID 1468 wrote to memory of 5000 1468 tmp.exe ngentask.exe PID 1468 wrote to memory of 5000 1468 tmp.exe ngentask.exe PID 1468 wrote to memory of 5080 1468 tmp.exe ngentask.exe PID 1468 wrote to memory of 5080 1468 tmp.exe ngentask.exe PID 1468 wrote to memory of 5080 1468 tmp.exe ngentask.exe PID 1468 wrote to memory of 5080 1468 tmp.exe ngentask.exe PID 1468 wrote to memory of 5080 1468 tmp.exe ngentask.exe PID 1468 wrote to memory of 1180 1468 tmp.exe fontview.exe PID 1468 wrote to memory of 1180 1468 tmp.exe fontview.exe PID 1468 wrote to memory of 1180 1468 tmp.exe fontview.exe PID 1468 wrote to memory of 1180 1468 tmp.exe fontview.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 15563⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1180 -ip 11801⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Temp\240552906.dllFilesize
566KB
MD587a0c31ef2e03ee553605ca1bebbd354
SHA119c69d245f75814f495beb4770c55f0c9003b53c
SHA2564e6a47c072dc87cc310995ebdf10db5d76fa180e8ce8a0909db751121927afff
SHA512fe08f217bfa56d003eb174de9e1418384989da71ab6b504893b3ee88da975da9e2b593afc4213be3c1054f2ba7d62003cbb34dcea3644d85d1db6817d5815a76
-
memory/1180-167-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/1180-237-0x0000000000E00000-0x0000000000E6D000-memory.dmpFilesize
436KB
-
memory/1180-236-0x0000000000E00000-0x0000000000E6D000-memory.dmpFilesize
436KB
-
memory/1180-142-0x0000000000E00000-0x0000000000E6D000-memory.dmpFilesize
436KB
-
memory/1180-235-0x0000000000E00000-0x0000000000E6D000-memory.dmpFilesize
436KB
-
memory/1468-134-0x000000000F910000-0x000000000FA5A000-memory.dmpFilesize
1.3MB
-
memory/5080-145-0x0000000007530000-0x000000000763A000-memory.dmpFilesize
1.0MB
-
memory/5080-164-0x0000000008A50000-0x0000000008F7C000-memory.dmpFilesize
5.2MB
-
memory/5080-159-0x0000000007920000-0x00000000079B2000-memory.dmpFilesize
584KB
-
memory/5080-160-0x0000000007F70000-0x0000000008514000-memory.dmpFilesize
5.6MB
-
memory/5080-161-0x0000000007AC0000-0x0000000007B36000-memory.dmpFilesize
472KB
-
memory/5080-162-0x0000000007B40000-0x0000000007B90000-memory.dmpFilesize
320KB
-
memory/5080-163-0x0000000007D60000-0x0000000007F22000-memory.dmpFilesize
1.8MB
-
memory/5080-158-0x0000000007810000-0x0000000007876000-memory.dmpFilesize
408KB
-
memory/5080-165-0x0000000004F70000-0x0000000004F80000-memory.dmpFilesize
64KB
-
memory/5080-148-0x00000000074A0000-0x00000000074DC000-memory.dmpFilesize
240KB
-
memory/5080-147-0x0000000004F70000-0x0000000004F80000-memory.dmpFilesize
64KB
-
memory/5080-146-0x0000000007440000-0x0000000007452000-memory.dmpFilesize
72KB
-
memory/5080-144-0x0000000005BA0000-0x00000000061B8000-memory.dmpFilesize
6.1MB
-
memory/5080-137-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/5080-135-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB