Analysis
-
max time kernel
131s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2023 10:32
Static task
static1
Behavioral task
behavioral1
Sample
a9f7d6b41ef9398f5b8fa1ca03d02b04.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
a9f7d6b41ef9398f5b8fa1ca03d02b04.exe
Resource
win10v2004-20230220-en
General
-
Target
a9f7d6b41ef9398f5b8fa1ca03d02b04.exe
-
Size
255KB
-
MD5
a9f7d6b41ef9398f5b8fa1ca03d02b04
-
SHA1
c6381d564909b24e6d44906c87542476c89cbb91
-
SHA256
2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418
-
SHA512
cd28165d0a388af334559e3828c8dbbd24ba63eea8017aae88f355113863202ca13377db2a93fee97f1af5c224d9a763ada72d16c3c790691a8f1fba53039595
-
SSDEEP
6144:WfIZHZETEmZuxEuE6ClwwSxZ7p4RhRyTUVeRl:VYTEmZulEgY2
Malware Config
Extracted
redline
@bloodyrain12
94.142.138.4:80
-
auth_value
deb2361761232960fecc0abd77d9ebf3
Extracted
laplas
http://185.209.161.189
-
api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation a9f7d6b41ef9398f5b8fa1ca03d02b04.exe -
Executes dropped EXE 2 IoCs
pid Process 3944 svchost.exe 5080 ntlhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 34 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1880 a9f7d6b41ef9398f5b8fa1ca03d02b04.exe 1880 a9f7d6b41ef9398f5b8fa1ca03d02b04.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1880 a9f7d6b41ef9398f5b8fa1ca03d02b04.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1880 wrote to memory of 3944 1880 a9f7d6b41ef9398f5b8fa1ca03d02b04.exe 90 PID 1880 wrote to memory of 3944 1880 a9f7d6b41ef9398f5b8fa1ca03d02b04.exe 90 PID 3944 wrote to memory of 5080 3944 svchost.exe 92 PID 3944 wrote to memory of 5080 3944 svchost.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9f7d6b41ef9398f5b8fa1ca03d02b04.exe"C:\Users\Admin\AppData\Local\Temp\a9f7d6b41ef9398f5b8fa1ca03d02b04.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe3⤵
- Executes dropped EXE
PID:5080
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5d076c4b5f5c42b44d583c534f78adbe7
SHA1c35478e67d490145520be73277cd72cd4e837090
SHA2562c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
SHA512b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638
-
Filesize
4.0MB
MD5d076c4b5f5c42b44d583c534f78adbe7
SHA1c35478e67d490145520be73277cd72cd4e837090
SHA2562c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
SHA512b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638
-
Filesize
4.0MB
MD5d076c4b5f5c42b44d583c534f78adbe7
SHA1c35478e67d490145520be73277cd72cd4e837090
SHA2562c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
SHA512b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638
-
Filesize
776.0MB
MD5143d7546213e9c16cd8b7db736a436ae
SHA1626544445f8254e3b7c1f1de82616f1360309e64
SHA256c14ca667ff9243ea3e1891e87fc4a5a7962c04e70d47e40bdce7f66e6d3c4153
SHA512393036d1b53eaba808768e9dfc6c36e2fd3164ad211e8d8ee6a3a8ccf147ff85bf92311b80cac1d95f97ea6d575559f77af45172cc24dfd0b99e8761b67921ea
-
Filesize
776.0MB
MD5143d7546213e9c16cd8b7db736a436ae
SHA1626544445f8254e3b7c1f1de82616f1360309e64
SHA256c14ca667ff9243ea3e1891e87fc4a5a7962c04e70d47e40bdce7f66e6d3c4153
SHA512393036d1b53eaba808768e9dfc6c36e2fd3164ad211e8d8ee6a3a8ccf147ff85bf92311b80cac1d95f97ea6d575559f77af45172cc24dfd0b99e8761b67921ea