Analysis
-
max time kernel
160s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 06:01
Static task
static1
Behavioral task
behavioral1
Sample
2b05bd5f01ec91055ec3235fe0308758.exe
Resource
win7-20231215-en
General
-
Target
2b05bd5f01ec91055ec3235fe0308758.exe
-
Size
1.2MB
-
MD5
2b05bd5f01ec91055ec3235fe0308758
-
SHA1
8fed0199247388c88870e20b15581353f7dc2ba9
-
SHA256
98012c9a8fe074b5514953c7cf7d70047a44bec639dda73d39d67283897465fb
-
SHA512
b7e14c8406fd09cddab6cb06bdf72f5ba91c1bf9ad8e546198ce937da7554efe64ce43b1e7ba7da0487a2ba462de8be18cf68f712383a443ec733d599a354646
-
SSDEEP
24576:+SLXMkT/pY/feR4IQfPsNTpNOC4r2U+73ux3Sa:t8kBY/M+8N3adMU3Sa
Malware Config
Extracted
redline
12
185.92.74.32:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1420-24-0x0000000000B70000-0x0000000000B90000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1420-24-0x0000000000B70000-0x0000000000B90000-memory.dmp family_sectoprat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2b05bd5f01ec91055ec3235fe0308758.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 2b05bd5f01ec91055ec3235fe0308758.exe -
Deletes itself 1 IoCs
Processes:
Pensieroso.exe.compid process 3800 Pensieroso.exe.com -
Executes dropped EXE 3 IoCs
Processes:
Pensieroso.exe.comPensieroso.exe.comRegAsm.exepid process 4652 Pensieroso.exe.com 3800 Pensieroso.exe.com 1420 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Pensieroso.exe.comdescription pid process target process PID 3800 set thread context of 1420 3800 Pensieroso.exe.com RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
Pensieroso.exe.comRegAsm.exepid process 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 1420 RegAsm.exe 1420 RegAsm.exe 1420 RegAsm.exe 1420 RegAsm.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Pensieroso.exe.comPensieroso.exe.compid process 4652 Pensieroso.exe.com 4652 Pensieroso.exe.com 4652 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Pensieroso.exe.comPensieroso.exe.compid process 4652 Pensieroso.exe.com 4652 Pensieroso.exe.com 4652 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com 3800 Pensieroso.exe.com -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
2b05bd5f01ec91055ec3235fe0308758.execmd.execmd.exePensieroso.exe.comPensieroso.exe.comdescription pid process target process PID 3488 wrote to memory of 1596 3488 2b05bd5f01ec91055ec3235fe0308758.exe dllhost.exe PID 3488 wrote to memory of 1596 3488 2b05bd5f01ec91055ec3235fe0308758.exe dllhost.exe PID 3488 wrote to memory of 1596 3488 2b05bd5f01ec91055ec3235fe0308758.exe dllhost.exe PID 3488 wrote to memory of 5032 3488 2b05bd5f01ec91055ec3235fe0308758.exe cmd.exe PID 3488 wrote to memory of 5032 3488 2b05bd5f01ec91055ec3235fe0308758.exe cmd.exe PID 3488 wrote to memory of 5032 3488 2b05bd5f01ec91055ec3235fe0308758.exe cmd.exe PID 5032 wrote to memory of 1136 5032 cmd.exe cmd.exe PID 5032 wrote to memory of 1136 5032 cmd.exe cmd.exe PID 5032 wrote to memory of 1136 5032 cmd.exe cmd.exe PID 1136 wrote to memory of 3524 1136 cmd.exe findstr.exe PID 1136 wrote to memory of 3524 1136 cmd.exe findstr.exe PID 1136 wrote to memory of 3524 1136 cmd.exe findstr.exe PID 1136 wrote to memory of 4652 1136 cmd.exe Pensieroso.exe.com PID 1136 wrote to memory of 4652 1136 cmd.exe Pensieroso.exe.com PID 1136 wrote to memory of 4652 1136 cmd.exe Pensieroso.exe.com PID 1136 wrote to memory of 2080 1136 cmd.exe PING.EXE PID 1136 wrote to memory of 2080 1136 cmd.exe PING.EXE PID 1136 wrote to memory of 2080 1136 cmd.exe PING.EXE PID 4652 wrote to memory of 3800 4652 Pensieroso.exe.com Pensieroso.exe.com PID 4652 wrote to memory of 3800 4652 Pensieroso.exe.com Pensieroso.exe.com PID 4652 wrote to memory of 3800 4652 Pensieroso.exe.com Pensieroso.exe.com PID 3800 wrote to memory of 1420 3800 Pensieroso.exe.com RegAsm.exe PID 3800 wrote to memory of 1420 3800 Pensieroso.exe.com RegAsm.exe PID 3800 wrote to memory of 1420 3800 Pensieroso.exe.com RegAsm.exe PID 3800 wrote to memory of 1420 3800 Pensieroso.exe.com RegAsm.exe PID 3800 wrote to memory of 1420 3800 Pensieroso.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b05bd5f01ec91055ec3235fe0308758.exe"C:\Users\Admin\AppData\Local\Temp\2b05bd5f01ec91055ec3235fe0308758.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"2⤵PID:1596
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Bastanza.swf2⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^CxmnNpDYRvUOsMXEkPvVjDrPNGESxTAYheweUTnNgSjNchNETUDzDmWZsJKiFLDXWWBfKVKssJHxdfxATZYAdixOywKl$" Vai.swf4⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.comPensieroso.exe.com M4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com M5⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1420 -
C:\Windows\SysWOW64\PING.EXEping NUPNSVML -n 304⤵
- Runs ping.exe
PID:2080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bastanza.swfFilesize
550B
MD591c1e2c3d91cb1c38948774853ad179c
SHA1173ffff739657840dcb263dc2de8331cf7961caf
SHA25659aaeaa576ba7eb6e705bea2fe5adc70cfcc578fd28a7d50c4d005d8f83c091a
SHA512c0084eaf798e48348f218d53fcb31902f70d49d69aa99ffd351a46531fa2835afdc141f18b4511b6e91c2e83ec6bf30de55155117a1ca0c103921b82779e176c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Buona.swfFilesize
107KB
MD51cf05f985b0c9471f1a68152a3a36520
SHA16034a3d5014bc16caa580f00e65e2e2e91332714
SHA25674815315e0a7be936b7317c90d205022525fc50735a22e60d5d218e64c6f0253
SHA512109e70f5759ac7da59c8521d28dd1369f18b150fb8b5a3cba47e2c34fdfd109d378d477a57a19915e1e6594e4688fdfdf79014b93785399131f1b8d861890aac
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fino.swfFilesize
1.3MB
MD5b372a9eb306150c5b1ba16d8220185ab
SHA10b73f891a28a33e8acdaf290f6dc2efd7ff88621
SHA2561f35b8d5a27ee8434a26c65483d4a46ebef32061ea7a39ae222305a34238a918
SHA512bb64b540dfb9d60f0e03fa6d52328cb7cc8d6b91290c9f5cff91b3fefab79acb7516743a7b40181dd1009c6575614f2b7494082beae70c322c3ac22d61df22a9
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.comFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeFilesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vai.swfFilesize
872KB
MD5e6f31cfa21a920ffd366dae49fb309cd
SHA108005a379ab88647a466ad0c2447ce2f6e712bf2
SHA256fd0ffad0d6027db60588e145cba84a9374ce052f19502df4c95e0380ef893527
SHA51214e9afbf7bf8f1e1053b4bb5cca389edbb5f4714febcb3fc2f6e87d9e2db010be78d3c1a6fae85110e1506ba79701013aed46a36ecc0dc929f68cc6e204b9ac1
-
memory/1420-24-0x0000000000B70000-0x0000000000B90000-memory.dmpFilesize
128KB
-
memory/1420-28-0x0000000074950000-0x0000000075100000-memory.dmpFilesize
7.7MB
-
memory/1420-29-0x0000000005B90000-0x00000000061A8000-memory.dmpFilesize
6.1MB
-
memory/1420-30-0x00000000055B0000-0x00000000055C2000-memory.dmpFilesize
72KB
-
memory/1420-31-0x0000000005720000-0x000000000582A000-memory.dmpFilesize
1.0MB
-
memory/1420-32-0x0000000074950000-0x0000000075100000-memory.dmpFilesize
7.7MB
-
memory/1420-33-0x0000000005590000-0x00000000055A0000-memory.dmpFilesize
64KB
-
memory/1420-34-0x0000000005690000-0x00000000056CC000-memory.dmpFilesize
240KB
-
memory/3800-22-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB