Analysis
-
max time kernel
139s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08-02-2024 08:09
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20231215-en
General
-
Target
tmp.exe
-
Size
1.6MB
-
MD5
8c281571c5fdaf40aa847d90e5a81075
-
SHA1
041fa6e79e9027350c1f241375687de7f8cba367
-
SHA256
0182e73c39240c0e660bbdd4262209f08d767562d4794b7ed5e36a4d4f36b409
-
SHA512
b0e481681b02e4cc4f95deff2fa21354f94ad34e6611d97de3a127ae285038164df724f3db27bbf03caa217c3d8dabf77bfdadeaf9af8a1915edacbd35c1c862
-
SSDEEP
24576:+oTMZJmDclvSgPUbKzCT7x31NeeVQjeXCNvVrZb1muw7aYDBE86:gZE4lvqKu7x32eVQiXI5Xmj7te
Malware Config
Extracted
redline
@logscloudyt_bot
185.172.128.33:8924
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x000600000002312c-18.dat family_redline behavioral2/files/0x000600000002312c-30.dat family_redline behavioral2/memory/2808-36-0x0000000000FE0000-0x0000000001034000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation STAR.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe STAR.exe -
Executes dropped EXE 3 IoCs
pid Process 2808 bott.exe 2896 STAR.exe 3128 qemu-ga.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4840 set thread context of 2196 4840 tmp.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2896 STAR.exe 2808 bott.exe 2808 bott.exe 2808 bott.exe 2808 bott.exe 2808 bott.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2896 STAR.exe Token: SeDebugPrivilege 2808 bott.exe Token: SeDebugPrivilege 2196 RegAsm.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4840 wrote to memory of 4028 4840 tmp.exe 85 PID 4840 wrote to memory of 4028 4840 tmp.exe 85 PID 4840 wrote to memory of 4028 4840 tmp.exe 85 PID 4840 wrote to memory of 2196 4840 tmp.exe 86 PID 4840 wrote to memory of 2196 4840 tmp.exe 86 PID 4840 wrote to memory of 2196 4840 tmp.exe 86 PID 4840 wrote to memory of 2196 4840 tmp.exe 86 PID 4840 wrote to memory of 2196 4840 tmp.exe 86 PID 4840 wrote to memory of 2196 4840 tmp.exe 86 PID 4840 wrote to memory of 2196 4840 tmp.exe 86 PID 4840 wrote to memory of 2196 4840 tmp.exe 86 PID 2196 wrote to memory of 2808 2196 RegAsm.exe 87 PID 2196 wrote to memory of 2808 2196 RegAsm.exe 87 PID 2196 wrote to memory of 2808 2196 RegAsm.exe 87 PID 2196 wrote to memory of 2896 2196 RegAsm.exe 88 PID 2196 wrote to memory of 2896 2196 RegAsm.exe 88 PID 2196 wrote to memory of 2896 2196 RegAsm.exe 88 PID 2896 wrote to memory of 3128 2896 STAR.exe 90 PID 2896 wrote to memory of 3128 2896 STAR.exe 90 PID 2196 wrote to memory of 468 2196 RegAsm.exe 93 PID 2196 wrote to memory of 468 2196 RegAsm.exe 93 PID 2196 wrote to memory of 468 2196 RegAsm.exe 93 PID 468 wrote to memory of 3088 468 cmd.exe 95 PID 468 wrote to memory of 3088 468 cmd.exe 95 PID 468 wrote to memory of 3088 468 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe"C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe"C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"4⤵
- Executes dropped EXE
PID:3128
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵PID:3088
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79
-
Filesize
570KB
MD5ea037914e6f1aa6a8ad565407158d49b
SHA15fbbd923c0bbcf33fafca5a0ed847c19478856e5
SHA2569deee2315490381305b70eeaff5805df00d10feb9d9f78fbce33b3cd5795ed73
SHA512369943b3ac01a8c89c7d163391e60c2a4f9f616ade5161df8a67e75c490ff4a70b37d4b617675518c924d2fbc07605a37d4f76166da9becefcb4bd5052a69e55
-
Filesize
313KB
MD5753db7d6804f9f27aaf30fe62c00a011
SHA14c29fef91e4a099c08b90c0aa9f0397fba36d452
SHA2568f09598518b4d2a084e1fe1068c43027fe9e6caed74de0926bdac110a305ac2c
SHA5127ff04ef374e8a97b58f110dbf3451493c2e2644fce3935a6d4107074819d9547ea861c06a2ed24b5d459f41784bcc0be107c920e78310332ca50f3143b7ac830