Overview

overview

10

Static

static

1

CF7.bin.exe

windows7-x64

10

CF7.bin.exe

windows10-2004-x64

10

Resubmissions

21-09-2023 15:56

230921-tdmjkabb74 10

21-09-2023 15:51

230921-tagtxahb6w 10

Analysis

  • max time kernel
    140s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2023 15:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CF7.bin.exe

  • Size

    1.3MB

  • MD5

    6f5c6ab6bef8193955686e12cadc0ae3

  • SHA1

    8b4ceb8063879eccf29ab04944753eab20f8c328

  • SHA256

    18195648d7dd6e5654785f57dd595f8a6de963571018aea172fe5b4d2b2a9fda

  • SHA512

    4a23b6633aa91916300ef3f5eb97a14a1e31e119148049a1310cab80addc634c281d617cc9ef5d09624a2e291134b502cadcd80896a394098c42c334c5365df7

  • SSDEEP

    24576:BsnoYufskYrupjowDYTCGFQXdKUmMHjjnpwWDf:Bs5RDwoKPGEdKUHjNwW7

Score
10/10
redlineinfostealerpersistencespyware

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CF7.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\CF7.bin.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3392
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3456
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 1720
        3⤵
        • Program crash
        PID:3920
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\AddInProcess32.exe
        "C:\Windows\AddInProcess32.exe" 1 2 3 4 5 6 7
        3⤵
        • Executes dropped EXE
        PID:1228
      • C:\Windows\System32\cmd.exe
        /c ping localhost -n 3 > nul & del C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1316
        • C:\Windows\system32\PING.EXE
          ping localhost -n 3
          4⤵
          • Runs ping.exe
          PID:3704
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3392 -ip 3392
    1⤵
      PID:5012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\AddInProcess32.exe
      Filesize

      42KB

      MD5

      9827ff3cdf4b83f9c86354606736ca9c

      SHA1

      e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

      SHA256

      c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

      SHA512

      8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

      Download Submit

    • C:\Windows\AddInProcess32.exe
      Filesize

      42KB

      MD5

      9827ff3cdf4b83f9c86354606736ca9c

      SHA1

      e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

      SHA256

      c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

      SHA512

      8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

      Download Submit

    • C:\Windows\AddInProcess32.exe
      Filesize

      42KB

      MD5

      9827ff3cdf4b83f9c86354606736ca9c

      SHA1

      e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

      SHA256

      c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

      SHA512

      8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

      Download Submit

    • memory/1192-23-0x0000000000400000-0x0000000000445000-memory.dmp

      Filesize

      276KB

      Download

    • memory/1192-21-0x0000000000400000-0x0000000000445000-memory.dmp

      Filesize

      276KB

      Download

    • memory/1228-89-0x0000000074CE0000-0x0000000075490000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1228-84-0x0000000000C10000-0x0000000000C1C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1228-85-0x0000000074CE0000-0x0000000075490000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1228-86-0x0000000002EF0000-0x0000000002F1A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1228-87-0x0000000005480000-0x00000000054D6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1384-6-0x0000000006500000-0x000000000659C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1384-17-0x00000000054E0000-0x00000000054F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1384-0-0x0000000074CE0000-0x0000000075490000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1384-10-0x0000000007030000-0x000000000704A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1384-14-0x00000000054E0000-0x00000000054F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1384-9-0x00000000054E0000-0x00000000054F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1384-8-0x0000000074CE0000-0x0000000075490000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1384-11-0x0000000007060000-0x0000000007066000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1384-7-0x0000000006810000-0x0000000006852000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1384-5-0x0000000005210000-0x000000000521A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1384-4-0x00000000054E0000-0x00000000054F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1384-3-0x00000000052A0000-0x0000000005332000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1384-2-0x0000000005850000-0x0000000005DF4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1384-24-0x0000000074CE0000-0x0000000075490000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1384-1-0x0000000000D40000-0x0000000000E86000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3392-12-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3392-20-0x00000000050D0000-0x00000000050E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3392-19-0x00000000050D0000-0x00000000050E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3392-18-0x0000000074CE0000-0x0000000075490000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3392-16-0x00000000050D0000-0x00000000050E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3392-15-0x0000000074CE0000-0x0000000075490000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3392-13-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3392-98-0x0000000074CE0000-0x0000000075490000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3456-94-0x0000000007D10000-0x0000000007D22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3456-90-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/3456-93-0x0000000008C40000-0x0000000009258000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3456-91-0x0000000074CE0000-0x0000000075490000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3456-95-0x0000000007E60000-0x0000000007F6A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3456-96-0x0000000007D90000-0x0000000007DCC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3456-97-0x0000000007DD0000-0x0000000007E1C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3456-92-0x00000000055A0000-0x00000000055B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3456-99-0x0000000008690000-0x00000000086F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3456-100-0x00000000095E0000-0x0000000009656000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3456-101-0x0000000009830000-0x00000000099F2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3456-102-0x0000000009F30000-0x000000000A45C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3456-103-0x0000000009700000-0x000000000971E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3456-104-0x0000000009770000-0x00000000097C0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3456-106-0x0000000074CE0000-0x0000000075490000-memory.dmp

      Filesize

      7.7MB

      Download