Overview

overview

10

Static

static

1

CF7.bin.exe

windows10-1703-x64

10

Resubmissions

21/09/2023, 15:56

230921-tdmjkabb74 10

21/09/2023, 15:51

230921-tagtxahb6w 10

Analysis

  • max time kernel
    315s
  • max time network
    389s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21/09/2023, 15:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    CF7.bin.exe

  • Size

    1.3MB

  • MD5

    6f5c6ab6bef8193955686e12cadc0ae3

  • SHA1

    8b4ceb8063879eccf29ab04944753eab20f8c328

  • SHA256

    18195648d7dd6e5654785f57dd595f8a6de963571018aea172fe5b4d2b2a9fda

  • SHA512

    4a23b6633aa91916300ef3f5eb97a14a1e31e119148049a1310cab80addc634c281d617cc9ef5d09624a2e291134b502cadcd80896a394098c42c334c5365df7

  • SSDEEP

    24576:BsnoYufskYrupjowDYTCGFQXdKUmMHjjnpwWDf:Bs5RDwoKPGEdKUHjNwW7

Score
10/10
redlineinfostealerpersistencespyware

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 2 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CF7.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\CF7.bin.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5032
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3804
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1656
        3⤵
        • Program crash
        PID:3228
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3456
      • C:\Windows\AddInProcess32.exe
        "C:\Windows\AddInProcess32.exe" 1 2 3 4 5 6 7
        3⤵
        • Executes dropped EXE
        PID:4040
      • C:\Windows\System32\cmd.exe
        /c ping localhost -n 3 > nul & del C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4284
        • C:\Windows\system32\PING.EXE
          ping localhost -n 3
          4⤵
          • Runs ping.exe
          PID:4180
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1700
      2⤵
      • Program crash
      PID:4512

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\AddInProcess32.exe
          Filesize

          41KB

          MD5

          6a673bfc3b67ae9782cb31af2f234c68

          SHA1

          7544e89566d91e84e3cd437b9a073e5f6b56566e

          SHA256

          978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

          SHA512

          72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

          Download Submit

        • C:\Windows\AddInProcess32.exe
          Filesize

          41KB

          MD5

          6a673bfc3b67ae9782cb31af2f234c68

          SHA1

          7544e89566d91e84e3cd437b9a073e5f6b56566e

          SHA256

          978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

          SHA512

          72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

          Download Submit

        • C:\Windows\AddInProcess32.exe
          Filesize

          41KB

          MD5

          6a673bfc3b67ae9782cb31af2f234c68

          SHA1

          7544e89566d91e84e3cd437b9a073e5f6b56566e

          SHA256

          978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

          SHA512

          72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

          Download Submit

        • memory/3456-22-0x0000000000400000-0x0000000000445000-memory.dmp

          Filesize

          276KB

          Download

        • memory/3456-23-0x0000000000400000-0x0000000000445000-memory.dmp

          Filesize

          276KB

          Download

        • memory/3804-87-0x0000000073A10000-0x00000000740FE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3804-93-0x000000000B9E0000-0x000000000BA2B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/3804-418-0x0000000073A10000-0x00000000740FE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3804-411-0x000000000E820000-0x000000000E870000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3804-290-0x000000000DAD0000-0x000000000DFFC000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/3804-289-0x000000000D3D0000-0x000000000D592000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3804-254-0x000000000D080000-0x000000000D09E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3804-101-0x000000000D0D0000-0x000000000D146000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3804-98-0x000000000C1B0000-0x000000000C216000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3804-83-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/3804-92-0x000000000B980000-0x000000000B9BE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/3804-91-0x000000000BA40000-0x000000000BB4A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3804-90-0x000000000B910000-0x000000000B922000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3804-89-0x000000000C680000-0x000000000CC86000-memory.dmp

          Filesize

          6.0MB

          Download

        • memory/3804-88-0x000000000B880000-0x000000000B890000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4040-77-0x00000000006A0000-0x00000000006AC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4040-82-0x0000000073A10000-0x00000000740FE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/4040-80-0x0000000004EB0000-0x0000000004F06000-memory.dmp

          Filesize

          344KB

          Download

        • memory/4040-78-0x0000000002930000-0x000000000295A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/4040-79-0x0000000073A10000-0x00000000740FE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/5032-1-0x0000000000210000-0x0000000000356000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/5032-8-0x0000000073A10000-0x00000000740FE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/5032-2-0x0000000005C20000-0x000000000611E000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/5032-3-0x0000000005650000-0x00000000056E2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/5032-4-0x0000000005880000-0x0000000005890000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5032-5-0x0000000005640000-0x000000000564A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/5032-7-0x0000000007180000-0x00000000071C2000-memory.dmp

          Filesize

          264KB

          Download

        • memory/5032-14-0x0000000005880000-0x0000000005890000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5032-0-0x0000000073A10000-0x00000000740FE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/5032-9-0x0000000005880000-0x0000000005890000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5032-18-0x0000000005880000-0x0000000005890000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5032-6-0x0000000005B60000-0x0000000005BFC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/5032-10-0x0000000007820000-0x000000000783A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/5032-11-0x0000000009D00000-0x0000000009D06000-memory.dmp

          Filesize

          24KB

          Download

        • memory/5048-17-0x0000000005380000-0x0000000005390000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5048-13-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/5048-12-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/5048-15-0x0000000073A10000-0x00000000740FE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/5048-16-0x0000000005380000-0x0000000005390000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5048-19-0x0000000073A10000-0x00000000740FE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/5048-20-0x0000000005380000-0x0000000005390000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5048-21-0x0000000005380000-0x0000000005390000-memory.dmp

          Filesize

          64KB

          Download