Analysis
-
max time kernel
85s -
max time network
197s -
platform
windows11-21h2_x64 -
resource
win11-20240214-en -
resource tags
arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system -
submitted
07-04-2024 17:53
Static task
static1
Behavioral task
behavioral1
Sample
frf.rar
Resource
win11-20240214-en
General
-
Target
frf.rar
-
Size
3.1MB
-
MD5
58f4de6b7696beac715e95dae702b0be
-
SHA1
0dc721f94f58f67aec72cd72f24cb1fc8510bd04
-
SHA256
4d8a9a4d5c6b2280c7fde5fe7bca2ec92ebb5dc10620c8070fefd28ade097991
-
SHA512
0dfb4281d3d5a35f6b205446c8b9a7f9fa0254063e113a0b86a926d42f7e9fb96a1ce6774b84ce4164eedb134b7c1616e33d9fc7f9933f77e69849ad0001252c
-
SSDEEP
49152:nlCV1w6IJgtaf2RJP/Yx1VOwFN1aqdpKuy6sCdxfrRNFIfYuyMhoXFbJ:lM1NJtTRJIPUANRpKuxs4jZwygo11
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1256-33-0x00000000055F0000-0x0000000005682000-memory.dmp family_redline behavioral1/memory/1256-39-0x0000000005700000-0x0000000005790000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
Processes:
Brembo Loader.exeBrembo Loader.exepid Process 3172 Brembo Loader.exe 448 Brembo Loader.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
Brembo Loader.exeBrembo Loader.exedescription pid Process procid_target PID 3172 set thread context of 1256 3172 Brembo Loader.exe 86 PID 448 set thread context of 4556 448 Brembo Loader.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 4720 3172 WerFault.exe 84 2508 448 WerFault.exe 93 -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings cmd.exe -
Processes:
RegAsm.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exeRegAsm.exepid Process 1256 RegAsm.exe 4556 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid Process 3488 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
7zFM.exeRegAsm.exeRegAsm.exedescription pid Process Token: SeRestorePrivilege 3488 7zFM.exe Token: 35 3488 7zFM.exe Token: SeSecurityPrivilege 3488 7zFM.exe Token: SeDebugPrivilege 1256 RegAsm.exe Token: SeBackupPrivilege 1256 RegAsm.exe Token: SeSecurityPrivilege 1256 RegAsm.exe Token: SeSecurityPrivilege 1256 RegAsm.exe Token: SeSecurityPrivilege 1256 RegAsm.exe Token: SeSecurityPrivilege 1256 RegAsm.exe Token: SeDebugPrivilege 4556 RegAsm.exe Token: SeBackupPrivilege 4556 RegAsm.exe Token: SeSecurityPrivilege 4556 RegAsm.exe Token: SeSecurityPrivilege 4556 RegAsm.exe Token: SeSecurityPrivilege 4556 RegAsm.exe Token: SeSecurityPrivilege 4556 RegAsm.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid Process 3488 7zFM.exe 3488 7zFM.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cmd.exeBrembo Loader.exeBrembo Loader.exedescription pid Process procid_target PID 4948 wrote to memory of 3488 4948 cmd.exe 78 PID 4948 wrote to memory of 3488 4948 cmd.exe 78 PID 3172 wrote to memory of 1256 3172 Brembo Loader.exe 86 PID 3172 wrote to memory of 1256 3172 Brembo Loader.exe 86 PID 3172 wrote to memory of 1256 3172 Brembo Loader.exe 86 PID 3172 wrote to memory of 1256 3172 Brembo Loader.exe 86 PID 3172 wrote to memory of 1256 3172 Brembo Loader.exe 86 PID 3172 wrote to memory of 1256 3172 Brembo Loader.exe 86 PID 3172 wrote to memory of 1256 3172 Brembo Loader.exe 86 PID 3172 wrote to memory of 1256 3172 Brembo Loader.exe 86 PID 3172 wrote to memory of 1256 3172 Brembo Loader.exe 86 PID 448 wrote to memory of 4556 448 Brembo Loader.exe 95 PID 448 wrote to memory of 4556 448 Brembo Loader.exe 95 PID 448 wrote to memory of 4556 448 Brembo Loader.exe 95 PID 448 wrote to memory of 4556 448 Brembo Loader.exe 95 PID 448 wrote to memory of 4556 448 Brembo Loader.exe 95 PID 448 wrote to memory of 4556 448 Brembo Loader.exe 95 PID 448 wrote to memory of 4556 448 Brembo Loader.exe 95 PID 448 wrote to memory of 4556 448 Brembo Loader.exe 95 PID 448 wrote to memory of 4556 448 Brembo Loader.exe 95
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\frf.rar1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\frf.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3488
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2736
-
C:\Users\Admin\Desktop\New folder\Brembo Loader.exe"C:\Users\Admin\Desktop\New folder\Brembo Loader.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 8282⤵
- Program crash
PID:4720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3172 -ip 31721⤵PID:2840
-
C:\Users\Admin\Desktop\New folder\Brembo Loader.exe"C:\Users\Admin\Desktop\New folder\Brembo Loader.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 8002⤵
- Program crash
PID:2508
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 448 -ip 4481⤵PID:3164
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD518514361175f3afea0667587c0dad86c
SHA15d2f5a788f8747bfdfc87fe98387aa2f9bebb633
SHA256d30dd2efb8bf06f2a61e8fcb8dbff8d021d4b7fc331c732e98ac25580cc0b14c
SHA51276c4093685029b272ee1780dada3298f4fa0115a684925aaa2180b031c6f38182d8bcd1b483801eb972e6251b39879ff1070d17266dd6cfef7ec26ca1de04d51
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
2KB
MD5b3d38ae17baab7284b45c76aacf25309
SHA1a7ca5c07f499fc2acb3b526efedcdc2a121fd291
SHA2562b90d1c75f1e6da878540efa57cb263d303eada27c0d3c0bfe18df61745c5272
SHA5129febabdf15638291240227751f04f6932e5aa7b72189dbca4d0eac5b721cdcd8eec50603caf4ef002756dcea459430116615bcd00a518649c16862cc34101f00
-
Filesize
732KB
MD5053f4312cef2c4b87dab159efedccb08
SHA175cf4286ee8131bcdd5857ffc6f97a765f5f7248
SHA256a19ff1f1682f30e39769b199a30f00fbed768200b6fa367a1eee436c6d538354
SHA512f47f5d9af72e7cc87df97788faad49b579cd0815f6e8082ca1ab73c62c45a89f188b0854a6b9bbd41e7eeeb33036ed94b022034509e1e275eb5380d59001fd78
-
Filesize
2KB
MD56e6311a1b543dcda645469f117749a90
SHA1c12d21a358c3d97eded0c1bb5d448d59c8a1878c
SHA256cd697e72ae83162e18b3f37dd57768c2112d04d35f8431fef8c45faeffe66089
SHA5128a7bf0fbafc4468563641808c5a037decf6c34eb1a6b46b6a509ee1bc79999e6d7f48b01d792b4e86f78edf3fe8f47beafa2470b7c6e3d1c264c42a33a89e05d