Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://www.mediafir...

windows10-2004-x64

10

Analysis

  • max time kernel
    85s
  • max time network
    74s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2023, 03:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.mediafire.com/file/o592xdyoi7corlo/Uploader.zip/file

Score
10/10
redlineinfostealerspyware

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.mediafire.com/file/o592xdyoi7corlo/Uploader.zip/file
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5084
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5084 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:412
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4744
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Uploader\" -spe -an -ai#7zMap18705:78:7zEvent184
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4836
    • C:\Users\Admin\Downloads\Uploader\Setup.exe
      "C:\Users\Admin\Downloads\Uploader\Setup.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2424

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NH7OL6B2\www.mediafire[1].xml
      Filesize

      13B

      MD5

      c1ddea3ef6bbef3e7060a1a9ad89e4c5

      SHA1

      35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

      SHA256

      b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

      SHA512

      6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NH7OL6B2\www.mediafire[1].xml
      Filesize

      1KB

      MD5

      fa2ea952237531fbe9ca4bdfac68257c

      SHA1

      0ab069eb2dce78266fb8acc0b5d7f758293b4d71

      SHA256

      1d25a55bfe0a13e5460dff26b9b8df9b6eae26bacf9d015a46d3deeebab773a2

      SHA512

      a763bb32d98a9b125f905a0079dc8663ae0d074d8b0b2a3466639ce78194011ee7ef2d350ed83065d0ce0880f29ccf42d4e32f4b4ba06f8eff92fca4af32e1bc

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NH7OL6B2\www.mediafire[1].xml
      Filesize

      246B

      MD5

      307d2eafba0ae1b8e2d66cac6401e76c

      SHA1

      a4010f86338faf8ac77688baee68cd5a13d683b3

      SHA256

      783d6715904d7e269aab418609cdcf7ea29548c54425a69c9cf912e2d21b5cb8

      SHA512

      40635b52e40a8ce85b171f4828dc5841844f16d21902998d250165f7894d659789ddc8994f69f3cd17bd5c0b5d87625d740c6077c82d3469521ae211a367bf59

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\qwzqiba\imagestore.dat
      Filesize

      11KB

      MD5

      8b1909541bf19d39fffcef26f846cbda

      SHA1

      ed7d5056327a7cdb687f3493ee3b5ff8492cbf82

      SHA256

      d93744fdbcaec44c4683f618f79081d0ab907197497d752b3128727655fb6e35

      SHA512

      26a72b0ff6af72f1b0718d3e6608f1aa471353e8bde76741973de55cc70f42473368379904cfff8b676a5caa20a9be505aa435fc18cc7e78ebba00fa59271be3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GVVED0TI\favicon[1].ico
      Filesize

      10KB

      MD5

      a301c91c118c9e041739ad0c85dfe8c5

      SHA1

      039962373b35960ef2bb5fbbe3856c0859306bf7

      SHA256

      cdc78cc8b2994712a041a2a4cb02f488afbab00981771bdd3a8036c2dddf540f

      SHA512

      3a5a2801e0556c96574d8ab5782fc5eab0be2af7003162da819ac99e0737c8876c0db7b42bb7c149c4f4d9cfe61d2878ff1945017708f5f7254071f342a6880a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HV5TY8S3\Uploader[1].zip
      Filesize

      9.1MB

      MD5

      6e2b2e0bb2d38246fb98b910317eeea9

      SHA1

      782b20b74d8f4339412d18b771441d44159603a7

      SHA256

      ed16de9cf1e9d9711f3d0277936fcc4ff63fb8efe45879fad75612382418a399

      SHA512

      74ea9283c010dcbfc1ea17fb675a0d836fe10d6fa960c90905c3a822f2badfe490ac3b6d7eb074cfe9e61d827321d8b859cf65d830645d9a2353f072f40089a2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HV5TY8S3\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\Downloads\Uploader.zip.0lb4556.partial
      Filesize

      9.1MB

      MD5

      6e2b2e0bb2d38246fb98b910317eeea9

      SHA1

      782b20b74d8f4339412d18b771441d44159603a7

      SHA256

      ed16de9cf1e9d9711f3d0277936fcc4ff63fb8efe45879fad75612382418a399

      SHA512

      74ea9283c010dcbfc1ea17fb675a0d836fe10d6fa960c90905c3a822f2badfe490ac3b6d7eb074cfe9e61d827321d8b859cf65d830645d9a2353f072f40089a2

      Download Submit

    • C:\Users\Admin\Downloads\Uploader\Setup.exe
      Filesize

      1.2MB

      MD5

      809baae1c7fc2cec1752ece1c3423d61

      SHA1

      413cbbb975cf020d2509df93febeacb9a8f80433

      SHA256

      070df0adc7ea1fb66fc937add4705cd604e2666567ea1de038b8a6548f9354ec

      SHA512

      82f7db9917aad6a14f0adf6dd2bd9b74a062eb2d146c11664d5ec5cc0697a46b6468c6b642a52dd4165a146c2c3f74e821d2f0b27470a1fd58f570a891856c4d

      Download Submit

    • C:\Users\Admin\Downloads\Uploader\Setup.exe
      Filesize

      1.2MB

      MD5

      809baae1c7fc2cec1752ece1c3423d61

      SHA1

      413cbbb975cf020d2509df93febeacb9a8f80433

      SHA256

      070df0adc7ea1fb66fc937add4705cd604e2666567ea1de038b8a6548f9354ec

      SHA512

      82f7db9917aad6a14f0adf6dd2bd9b74a062eb2d146c11664d5ec5cc0697a46b6468c6b642a52dd4165a146c2c3f74e821d2f0b27470a1fd58f570a891856c4d

      Download Submit

    • memory/1520-442-0x0000000000880000-0x0000000000A11000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2424-444-0x0000000007550000-0x00000000075E2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2424-450-0x0000000007720000-0x000000000775C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2424-445-0x00000000075F0000-0x00000000075FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2424-446-0x00000000086D0000-0x0000000008CE8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2424-447-0x00000000076C0000-0x00000000076D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2424-448-0x00000000076B0000-0x00000000076C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2424-449-0x00000000079B0000-0x0000000007ABA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2424-443-0x0000000007B00000-0x00000000080A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2424-451-0x0000000008120000-0x0000000008186000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2424-452-0x0000000008EF0000-0x0000000008F66000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2424-453-0x0000000008680000-0x000000000869E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2424-454-0x0000000009400000-0x00000000095C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2424-455-0x000000000A480000-0x000000000A9AC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2424-456-0x0000000009330000-0x0000000009380000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2424-457-0x00000000076B0000-0x00000000076C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2424-437-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download