Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08-02-2024 08:09
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20231215-en
General
-
Target
tmp.exe
-
Size
1.6MB
-
MD5
8c281571c5fdaf40aa847d90e5a81075
-
SHA1
041fa6e79e9027350c1f241375687de7f8cba367
-
SHA256
0182e73c39240c0e660bbdd4262209f08d767562d4794b7ed5e36a4d4f36b409
-
SHA512
b0e481681b02e4cc4f95deff2fa21354f94ad34e6611d97de3a127ae285038164df724f3db27bbf03caa217c3d8dabf77bfdadeaf9af8a1915edacbd35c1c862
-
SSDEEP
24576:+oTMZJmDclvSgPUbKzCT7x31NeeVQjeXCNvVrZb1muw7aYDBE86:gZE4lvqKu7x32eVQiXI5Xmj7te
Malware Config
Extracted
redline
@logscloudyt_bot
185.172.128.33:8924
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000c000000015608-34.dat family_redline behavioral1/memory/2684-36-0x0000000000070000-0x00000000000C4000-memory.dmp family_redline -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe STAR.exe -
Executes dropped EXE 3 IoCs
pid Process 2536 STAR.exe 2684 bott.exe 1800 qemu-ga.exe -
Loads dropped DLL 3 IoCs
pid Process 2652 RegAsm.exe 2652 RegAsm.exe 2536 STAR.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2052 set thread context of 2652 2052 tmp.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2536 STAR.exe 2684 bott.exe 2684 bott.exe 2684 bott.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2536 STAR.exe Token: SeDebugPrivilege 2684 bott.exe Token: SeDebugPrivilege 2652 RegAsm.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2376 2052 tmp.exe 29 PID 2052 wrote to memory of 2376 2052 tmp.exe 29 PID 2052 wrote to memory of 2376 2052 tmp.exe 29 PID 2052 wrote to memory of 2376 2052 tmp.exe 29 PID 2052 wrote to memory of 2376 2052 tmp.exe 29 PID 2052 wrote to memory of 2376 2052 tmp.exe 29 PID 2052 wrote to memory of 2376 2052 tmp.exe 29 PID 2052 wrote to memory of 2652 2052 tmp.exe 30 PID 2052 wrote to memory of 2652 2052 tmp.exe 30 PID 2052 wrote to memory of 2652 2052 tmp.exe 30 PID 2052 wrote to memory of 2652 2052 tmp.exe 30 PID 2052 wrote to memory of 2652 2052 tmp.exe 30 PID 2052 wrote to memory of 2652 2052 tmp.exe 30 PID 2052 wrote to memory of 2652 2052 tmp.exe 30 PID 2052 wrote to memory of 2652 2052 tmp.exe 30 PID 2052 wrote to memory of 2652 2052 tmp.exe 30 PID 2052 wrote to memory of 2652 2052 tmp.exe 30 PID 2052 wrote to memory of 2652 2052 tmp.exe 30 PID 2052 wrote to memory of 2652 2052 tmp.exe 30 PID 2652 wrote to memory of 2536 2652 RegAsm.exe 32 PID 2652 wrote to memory of 2536 2652 RegAsm.exe 32 PID 2652 wrote to memory of 2536 2652 RegAsm.exe 32 PID 2652 wrote to memory of 2536 2652 RegAsm.exe 32 PID 2652 wrote to memory of 2684 2652 RegAsm.exe 31 PID 2652 wrote to memory of 2684 2652 RegAsm.exe 31 PID 2652 wrote to memory of 2684 2652 RegAsm.exe 31 PID 2652 wrote to memory of 2684 2652 RegAsm.exe 31 PID 2536 wrote to memory of 1800 2536 STAR.exe 34 PID 2536 wrote to memory of 1800 2536 STAR.exe 34 PID 2536 wrote to memory of 1800 2536 STAR.exe 34 PID 2536 wrote to memory of 1800 2536 STAR.exe 34 PID 2652 wrote to memory of 1296 2652 RegAsm.exe 35 PID 2652 wrote to memory of 1296 2652 RegAsm.exe 35 PID 2652 wrote to memory of 1296 2652 RegAsm.exe 35 PID 2652 wrote to memory of 1296 2652 RegAsm.exe 35 PID 1296 wrote to memory of 2348 1296 cmd.exe 37 PID 1296 wrote to memory of 2348 1296 cmd.exe 37 PID 1296 wrote to memory of 2348 1296 cmd.exe 37 PID 1296 wrote to memory of 2348 1296 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2376
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe"C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe"C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"4⤵
- Executes dropped EXE
PID:1800
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵PID:2348
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79
-
Filesize
570KB
MD5ea037914e6f1aa6a8ad565407158d49b
SHA15fbbd923c0bbcf33fafca5a0ed847c19478856e5
SHA2569deee2315490381305b70eeaff5805df00d10feb9d9f78fbce33b3cd5795ed73
SHA512369943b3ac01a8c89c7d163391e60c2a4f9f616ade5161df8a67e75c490ff4a70b37d4b617675518c924d2fbc07605a37d4f76166da9becefcb4bd5052a69e55
-
Filesize
313KB
MD5753db7d6804f9f27aaf30fe62c00a011
SHA14c29fef91e4a099c08b90c0aa9f0397fba36d452
SHA2568f09598518b4d2a084e1fe1068c43027fe9e6caed74de0926bdac110a305ac2c
SHA5127ff04ef374e8a97b58f110dbf3451493c2e2644fce3935a6d4107074819d9547ea861c06a2ed24b5d459f41784bcc0be107c920e78310332ca50f3143b7ac830