Overview

overview

10

Static

static

1

Easy_L0ader.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/02/2024, 18:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Easy_L0ader.rar

  • Size

    35.7MB

  • MD5

    8e4cbe4e5ecabd01fa483dca6ec16537

  • SHA1

    9307be3b07f992965dc430aaedd78ca6bbf2f33e

  • SHA256

    970c25a64e64286009cec1758ea21643f2327361b66262768489cc9a77c9d6bd

  • SHA512

    7407adb0765c5e2a75ef0a8d8a9f5c51d69cd50315f7a49d9334e325cc57e2b9e58ab79a1f8c4b401767c32c95c4dbd824a5f07291db72151b5fffa3be88ceab

  • SSDEEP

    786432:KUnIK3Yvyn+3tF52WjM3QEgCjI4PqNwp/7Nm5bUKVrGc9Cn2AT78vi:FnIKOynEt2aOIrY/7SbPVrGck2A78K

Score
10/10
redline@l0rd667discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

@l0rd667

C2

45.15.156.167:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Easy_L0ader.rar
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4516
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Easy_L0ader.rar"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3236
      • C:\Users\Admin\AppData\Local\Temp\7zO4ACA9887\loa_der.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO4ACA9887\loa_der.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2980
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:32
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3408
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1280

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7zO4ACA9887\loa_der.exe
      Filesize

      483KB

      MD5

      177965a39c0b1efe801563768221b1aa

      SHA1

      09c663a6ab38bfdc61e0a9f7c361fe4d03a525d7

      SHA256

      1fb32b18b838f3b596d64cf41ce12afd58c031cb05cf1b5fc5b5bd26aaa862cf

      SHA512

      d26f2dba58a655fa183ed942ff0b0f5f7e516c0acb3e9d1f6e531795cab4a77bdc8cc434f0182a051a22652c3cdef8190521e572324cc104d04d6ab8162a91df

      Download Submit

    • memory/32-33-0x0000000006A00000-0x0000000006A3C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/32-31-0x0000000006A70000-0x0000000006B7A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/32-53-0x00000000747A0000-0x0000000074F50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/32-46-0x000000000AC50000-0x000000000B17C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/32-40-0x000000000A550000-0x000000000A712000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/32-36-0x00000000092C0000-0x0000000009310000-memory.dmp

      Filesize

      320KB

      Download

    • memory/32-35-0x0000000008F00000-0x0000000008F66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/32-21-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/32-25-0x00000000053A0000-0x0000000005432000-memory.dmp

      Filesize

      584KB

      Download

    • memory/32-34-0x0000000006B80000-0x0000000006BCC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/32-32-0x00000000069A0000-0x00000000069B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/32-27-0x00000000747A0000-0x0000000074F50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/32-28-0x0000000005620000-0x0000000005630000-memory.dmp

      Filesize

      64KB

      Download

    • memory/32-29-0x0000000005380000-0x000000000538A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/32-30-0x0000000006D10000-0x0000000007328000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2980-12-0x00000000747A0000-0x0000000074F50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2980-16-0x0000000004C20000-0x00000000051C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2980-26-0x0000000002600000-0x0000000004600000-memory.dmp

      Filesize

      32.0MB

      Download

    • memory/2980-24-0x00000000747A0000-0x0000000074F50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2980-18-0x0000000004C10000-0x0000000004C20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2980-17-0x0000000004B80000-0x0000000004BDA000-memory.dmp

      Filesize

      360KB

      Download

    • memory/2980-54-0x0000000002600000-0x0000000004600000-memory.dmp

      Filesize

      32.0MB

      Download

    • memory/2980-14-0x0000000004AE0000-0x0000000004B3C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/2980-15-0x0000000004C10000-0x0000000004C20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2980-13-0x0000000004C10000-0x0000000004C20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3408-44-0x0000013AE12A0000-0x0000013AE12A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3408-39-0x0000013AE12A0000-0x0000013AE12A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3408-47-0x0000013AE12A0000-0x0000013AE12A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3408-48-0x0000013AE12A0000-0x0000013AE12A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3408-45-0x0000013AE12A0000-0x0000013AE12A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3408-49-0x0000013AE12A0000-0x0000013AE12A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3408-50-0x0000013AE12A0000-0x0000013AE12A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3408-51-0x0000013AE12A0000-0x0000013AE12A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3408-38-0x0000013AE12A0000-0x0000013AE12A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3408-37-0x0000013AE12A0000-0x0000013AE12A1000-memory.dmp

      Filesize

      4KB

      Download