Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 06:01
Static task
static1
Behavioral task
behavioral1
Sample
2b05bd5f01ec91055ec3235fe0308758.exe
Resource
win7-20231215-en
General
-
Target
2b05bd5f01ec91055ec3235fe0308758.exe
-
Size
1.2MB
-
MD5
2b05bd5f01ec91055ec3235fe0308758
-
SHA1
8fed0199247388c88870e20b15581353f7dc2ba9
-
SHA256
98012c9a8fe074b5514953c7cf7d70047a44bec639dda73d39d67283897465fb
-
SHA512
b7e14c8406fd09cddab6cb06bdf72f5ba91c1bf9ad8e546198ce937da7554efe64ce43b1e7ba7da0487a2ba462de8be18cf68f712383a443ec733d599a354646
-
SSDEEP
24576:+SLXMkT/pY/feR4IQfPsNTpNOC4r2U+73ux3Sa:t8kBY/M+8N3adMU3Sa
Malware Config
Extracted
redline
12
185.92.74.32:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2180-41-0x0000000000090000-0x00000000000B0000-memory.dmp family_redline behavioral1/memory/2180-45-0x0000000000090000-0x00000000000B0000-memory.dmp family_redline behavioral1/memory/2180-47-0x0000000000090000-0x00000000000B0000-memory.dmp family_redline -
SectopRAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2180-41-0x0000000000090000-0x00000000000B0000-memory.dmp family_sectoprat behavioral1/memory/2180-45-0x0000000000090000-0x00000000000B0000-memory.dmp family_sectoprat behavioral1/memory/2180-47-0x0000000000090000-0x00000000000B0000-memory.dmp family_sectoprat -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2504 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
Pensieroso.exe.comPensieroso.exe.comRegAsm.exepid process 1692 Pensieroso.exe.com 2972 Pensieroso.exe.com 2180 RegAsm.exe -
Loads dropped DLL 4 IoCs
Processes:
cmd.exePensieroso.exe.comPensieroso.exe.comRegAsm.exepid process 1312 cmd.exe 1692 Pensieroso.exe.com 2972 Pensieroso.exe.com 2180 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Pensieroso.exe.comdescription pid process target process PID 2972 set thread context of 2180 2972 Pensieroso.exe.com RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
Pensieroso.exe.comRegAsm.exepid process 2972 Pensieroso.exe.com 2972 Pensieroso.exe.com 2972 Pensieroso.exe.com 2972 Pensieroso.exe.com 2972 Pensieroso.exe.com 2972 Pensieroso.exe.com 2972 Pensieroso.exe.com 2972 Pensieroso.exe.com 2972 Pensieroso.exe.com 2180 RegAsm.exe 2180 RegAsm.exe 2180 RegAsm.exe 2180 RegAsm.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Pensieroso.exe.comPensieroso.exe.compid process 1692 Pensieroso.exe.com 1692 Pensieroso.exe.com 1692 Pensieroso.exe.com 2972 Pensieroso.exe.com 2972 Pensieroso.exe.com 2972 Pensieroso.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Pensieroso.exe.comPensieroso.exe.compid process 1692 Pensieroso.exe.com 1692 Pensieroso.exe.com 1692 Pensieroso.exe.com 2972 Pensieroso.exe.com 2972 Pensieroso.exe.com 2972 Pensieroso.exe.com -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
2b05bd5f01ec91055ec3235fe0308758.execmd.execmd.exePensieroso.exe.comPensieroso.exe.comdescription pid process target process PID 2432 wrote to memory of 2060 2432 2b05bd5f01ec91055ec3235fe0308758.exe dllhost.exe PID 2432 wrote to memory of 2060 2432 2b05bd5f01ec91055ec3235fe0308758.exe dllhost.exe PID 2432 wrote to memory of 2060 2432 2b05bd5f01ec91055ec3235fe0308758.exe dllhost.exe PID 2432 wrote to memory of 2060 2432 2b05bd5f01ec91055ec3235fe0308758.exe dllhost.exe PID 2432 wrote to memory of 2072 2432 2b05bd5f01ec91055ec3235fe0308758.exe cmd.exe PID 2432 wrote to memory of 2072 2432 2b05bd5f01ec91055ec3235fe0308758.exe cmd.exe PID 2432 wrote to memory of 2072 2432 2b05bd5f01ec91055ec3235fe0308758.exe cmd.exe PID 2432 wrote to memory of 2072 2432 2b05bd5f01ec91055ec3235fe0308758.exe cmd.exe PID 2072 wrote to memory of 1312 2072 cmd.exe cmd.exe PID 2072 wrote to memory of 1312 2072 cmd.exe cmd.exe PID 2072 wrote to memory of 1312 2072 cmd.exe cmd.exe PID 2072 wrote to memory of 1312 2072 cmd.exe cmd.exe PID 1312 wrote to memory of 832 1312 cmd.exe findstr.exe PID 1312 wrote to memory of 832 1312 cmd.exe findstr.exe PID 1312 wrote to memory of 832 1312 cmd.exe findstr.exe PID 1312 wrote to memory of 832 1312 cmd.exe findstr.exe PID 1312 wrote to memory of 1692 1312 cmd.exe Pensieroso.exe.com PID 1312 wrote to memory of 1692 1312 cmd.exe Pensieroso.exe.com PID 1312 wrote to memory of 1692 1312 cmd.exe Pensieroso.exe.com PID 1312 wrote to memory of 1692 1312 cmd.exe Pensieroso.exe.com PID 1312 wrote to memory of 1212 1312 cmd.exe PING.EXE PID 1312 wrote to memory of 1212 1312 cmd.exe PING.EXE PID 1312 wrote to memory of 1212 1312 cmd.exe PING.EXE PID 1312 wrote to memory of 1212 1312 cmd.exe PING.EXE PID 1692 wrote to memory of 2972 1692 Pensieroso.exe.com Pensieroso.exe.com PID 1692 wrote to memory of 2972 1692 Pensieroso.exe.com Pensieroso.exe.com PID 1692 wrote to memory of 2972 1692 Pensieroso.exe.com Pensieroso.exe.com PID 1692 wrote to memory of 2972 1692 Pensieroso.exe.com Pensieroso.exe.com PID 2432 wrote to memory of 2504 2432 2b05bd5f01ec91055ec3235fe0308758.exe cmd.exe PID 2432 wrote to memory of 2504 2432 2b05bd5f01ec91055ec3235fe0308758.exe cmd.exe PID 2432 wrote to memory of 2504 2432 2b05bd5f01ec91055ec3235fe0308758.exe cmd.exe PID 2432 wrote to memory of 2504 2432 2b05bd5f01ec91055ec3235fe0308758.exe cmd.exe PID 2972 wrote to memory of 2180 2972 Pensieroso.exe.com RegAsm.exe PID 2972 wrote to memory of 2180 2972 Pensieroso.exe.com RegAsm.exe PID 2972 wrote to memory of 2180 2972 Pensieroso.exe.com RegAsm.exe PID 2972 wrote to memory of 2180 2972 Pensieroso.exe.com RegAsm.exe PID 2972 wrote to memory of 2180 2972 Pensieroso.exe.com RegAsm.exe PID 2972 wrote to memory of 2180 2972 Pensieroso.exe.com RegAsm.exe PID 2972 wrote to memory of 2180 2972 Pensieroso.exe.com RegAsm.exe PID 2972 wrote to memory of 2180 2972 Pensieroso.exe.com RegAsm.exe PID 2972 wrote to memory of 2180 2972 Pensieroso.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b05bd5f01ec91055ec3235fe0308758.exe"C:\Users\Admin\AppData\Local\Temp\2b05bd5f01ec91055ec3235fe0308758.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"2⤵PID:2060
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Bastanza.swf2⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^CxmnNpDYRvUOsMXEkPvVjDrPNGESxTAYheweUTnNgSjNchNETUDzDmWZsJKiFLDXWWBfKVKssJHxdfxATZYAdixOywKl$" Vai.swf4⤵PID:832
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.comPensieroso.exe.com M4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com M5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2180 -
C:\Windows\SysWOW64\PING.EXEping QVMRJQQO -n 304⤵
- Runs ping.exe
PID:1212 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
- Deletes itself
PID:2504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmdFilesize
236B
MD5d230652b8a9841fceb5c88052bcac9ca
SHA19c7b5c4dfa5f8bfaf812b505ffaf6aa4a060eaea
SHA2566f33f62e0e57d4c5f95a9c0c79c41d14cab893109e21a9b2e67a1b832fbd585b
SHA512b703ba8cd89d5c2a339d1e3f2a2330045e040132efce12f55b1aa698727e5bcf6d223dd11fb38e85fcc1dbe21599dc073ad3fdb33c85776c4b06d28d8b0342c0
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bastanza.swfFilesize
550B
MD591c1e2c3d91cb1c38948774853ad179c
SHA1173ffff739657840dcb263dc2de8331cf7961caf
SHA25659aaeaa576ba7eb6e705bea2fe5adc70cfcc578fd28a7d50c4d005d8f83c091a
SHA512c0084eaf798e48348f218d53fcb31902f70d49d69aa99ffd351a46531fa2835afdc141f18b4511b6e91c2e83ec6bf30de55155117a1ca0c103921b82779e176c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Buona.swfFilesize
107KB
MD51cf05f985b0c9471f1a68152a3a36520
SHA16034a3d5014bc16caa580f00e65e2e2e91332714
SHA25674815315e0a7be936b7317c90d205022525fc50735a22e60d5d218e64c6f0253
SHA512109e70f5759ac7da59c8521d28dd1369f18b150fb8b5a3cba47e2c34fdfd109d378d477a57a19915e1e6594e4688fdfdf79014b93785399131f1b8d861890aac
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fino.swfFilesize
1.3MB
MD5b372a9eb306150c5b1ba16d8220185ab
SHA10b73f891a28a33e8acdaf290f6dc2efd7ff88621
SHA2561f35b8d5a27ee8434a26c65483d4a46ebef32061ea7a39ae222305a34238a918
SHA512bb64b540dfb9d60f0e03fa6d52328cb7cc8d6b91290c9f5cff91b3fefab79acb7516743a7b40181dd1009c6575614f2b7494082beae70c322c3ac22d61df22a9
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vai.swfFilesize
872KB
MD5e6f31cfa21a920ffd366dae49fb309cd
SHA108005a379ab88647a466ad0c2447ce2f6e712bf2
SHA256fd0ffad0d6027db60588e145cba84a9374ce052f19502df4c95e0380ef893527
SHA51214e9afbf7bf8f1e1053b4bb5cca389edbb5f4714febcb3fc2f6e87d9e2db010be78d3c1a6fae85110e1506ba79701013aed46a36ecc0dc929f68cc6e204b9ac1
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.comFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeFilesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
memory/2180-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2180-38-0x0000000000090000-0x00000000000B0000-memory.dmpFilesize
128KB
-
memory/2180-41-0x0000000000090000-0x00000000000B0000-memory.dmpFilesize
128KB
-
memory/2180-45-0x0000000000090000-0x00000000000B0000-memory.dmpFilesize
128KB
-
memory/2180-47-0x0000000000090000-0x00000000000B0000-memory.dmpFilesize
128KB
-
memory/2972-34-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB