Overview

overview

10

Static

static

10

362b8e049e...1b.exe

windows7-x64

10

362b8e049e...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/02/2024, 04:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    362b8e049e3ab792eeee6bde4ca2491b.exe

  • Size

    1.5MB

  • MD5

    362b8e049e3ab792eeee6bde4ca2491b

  • SHA1

    e185df4e0e40cf2a68251d18979b21a812c5a545

  • SHA256

    b08a80b3d8ed960304fd66086b3c2cf13745118e04d6db99f9b0ff68b869b4cf

  • SHA512

    7beb758ee55c1c8577fc1a148a50949e48138e2a41681851a3681cbe5077d129e8fa11045bf42dd9cbb22e6b1aaee86a889bc2a04e61b6030892333bf2859643

  • SSDEEP

    24576:QW5V1bZzMgWhLtsYsvkdnddMF2ScVC3oKNVpNXIRf4cvuy4jS:j6hJhXnddG2lCYKTpNXIt

Score
10/10
redlineyt&team clouddiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

YT&TEAM CLOUD

C2

185.172.128.33:8924

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\362b8e049e3ab792eeee6bde4ca2491b.exe
    "C:\Users\Admin\AppData\Local\Temp\362b8e049e3ab792eeee6bde4ca2491b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3664
    • C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
        3⤵
        • Executes dropped EXE
        PID:3336
    • C:\Users\Admin\AppData\Roaming\configurationValue\yttam.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\yttam.exe"
      2⤵
      • Executes dropped EXE
      PID:4284
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 804
        3⤵
        • Program crash
        PID:1664
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "362b8e049e3ab792eeee6bde4ca2491b.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4800
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4284 -ip 4284
    1⤵
      PID:904
    • C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      1⤵
        PID:2884

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
              Filesize

              4KB

              MD5

              a5ce3aba68bdb438e98b1d0c70a3d95c

              SHA1

              013f5aa9057bf0b3c0c24824de9d075434501354

              SHA256

              9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

              SHA512

              7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

              Download Submit

            • C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe
              Filesize

              570KB

              MD5

              ea037914e6f1aa6a8ad565407158d49b

              SHA1

              5fbbd923c0bbcf33fafca5a0ed847c19478856e5

              SHA256

              9deee2315490381305b70eeaff5805df00d10feb9d9f78fbce33b3cd5795ed73

              SHA512

              369943b3ac01a8c89c7d163391e60c2a4f9f616ade5161df8a67e75c490ff4a70b37d4b617675518c924d2fbc07605a37d4f76166da9becefcb4bd5052a69e55

              Download Submit

            • C:\Users\Admin\AppData\Roaming\configurationValue\yttam.exe
              Filesize

              313KB

              MD5

              5c8486dd5bd5b0c6200ccd283cf55cce

              SHA1

              156476322236a27ff550015c0042d91524e406a7

              SHA256

              8c86ad926fc0a8599a210fdac2d60a461e183b154d6db62a67777cd301aa671f

              SHA512

              66f66fc8ac117751cdfa1bae87513909b04784c9580bc768a3c3388fe7cc76058b3349ebd15c51c256347a2394292154c3119d37970764c39aed1d5605c59e07

              Download Submit

            • memory/1716-41-0x0000000008190000-0x0000000008352000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/1716-36-0x0000000006D60000-0x0000000007304000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/1716-56-0x0000000074800000-0x0000000074FB0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1716-24-0x0000000000FA0000-0x0000000001034000-memory.dmp

              Filesize

              592KB

              Download

            • memory/1716-27-0x0000000074800000-0x0000000074FB0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1716-28-0x0000000005860000-0x0000000005870000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1716-29-0x0000000005E90000-0x00000000064A8000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/1716-30-0x00000000058C0000-0x00000000058D2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1716-31-0x00000000059F0000-0x0000000005AFA000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/1716-32-0x0000000005920000-0x000000000595C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1716-33-0x0000000005980000-0x00000000059CC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1716-42-0x0000000008890000-0x0000000008DBC000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/1716-35-0x0000000005D40000-0x0000000005DA6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1716-40-0x00000000079E0000-0x0000000007A30000-memory.dmp

              Filesize

              320KB

              Download

            • memory/1716-37-0x0000000006850000-0x00000000068E2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/1716-38-0x00000000068F0000-0x0000000006966000-memory.dmp

              Filesize

              472KB

              Download

            • memory/1716-39-0x0000000006AE0000-0x0000000006AFE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/3336-54-0x0000000000B40000-0x0000000000B48000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3336-57-0x00007FFAB6750000-0x00007FFAB7211000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3336-59-0x00007FFAB6750000-0x00007FFAB7211000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3664-0-0x0000000074800000-0x0000000074FB0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3664-1-0x0000000000760000-0x00000000008F2000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3664-58-0x0000000074800000-0x0000000074FB0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4284-25-0x0000000074800000-0x0000000074FB0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4284-34-0x0000000074800000-0x0000000074FB0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4284-26-0x0000000000D40000-0x0000000000D94000-memory.dmp

              Filesize

              336KB

              Download