Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
24-04-2024 14:26
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240221-en
General
-
Target
file.exe
-
Size
1.9MB
-
MD5
19dbb47666f2eb1bb2889c42fc2fd3db
-
SHA1
0eeeef0203c5e51e07f521ff4d8d29a422319316
-
SHA256
09570f445a9a80479957a36ea2e038800d5a01acf338793274f936c108f21f24
-
SHA512
8311734676547436fc48423f7481ce1499003934cba291720b841779dbca9041914d58d9958f5b94a15a5c32e7c45ebea439886f0d51b61584280ebd7b782856
-
SSDEEP
49152:YI4RI1ayrqA8h2uJeRoWHDyct4BhbXjz1xfc242:YbLUqDh2uiSS4BlXnbk2V
Malware Config
Extracted
redline
bild1
193.233.132.169:37732
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exework.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation work.exe -
Executes dropped EXE 2 IoCs
Processes:
work.exefeswa.exepid process 3520 work.exe 3816 feswa.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
feswa.exepid process 3816 feswa.exe 3816 feswa.exe 3816 feswa.exe 3816 feswa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
feswa.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 feswa.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 feswa.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
feswa.exepid process 3816 feswa.exe 3816 feswa.exe 3816 feswa.exe 3816 feswa.exe 3816 feswa.exe 3816 feswa.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
feswa.exedescription pid process Token: SeDebugPrivilege 3816 feswa.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
feswa.exepid process 3816 feswa.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.execmd.exework.exedescription pid process target process PID 8 wrote to memory of 4068 8 file.exe cmd.exe PID 8 wrote to memory of 4068 8 file.exe cmd.exe PID 8 wrote to memory of 4068 8 file.exe cmd.exe PID 4068 wrote to memory of 3520 4068 cmd.exe work.exe PID 4068 wrote to memory of 3520 4068 cmd.exe work.exe PID 4068 wrote to memory of 3520 4068 cmd.exe work.exe PID 3520 wrote to memory of 3816 3520 work.exe feswa.exe PID 3520 wrote to memory of 3816 3520 work.exe feswa.exe PID 3520 wrote to memory of 3816 3520 work.exe feswa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exework.exe -priverdD3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\feswa.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\feswa.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.batFilesize
35B
MD5ff59d999beb970447667695ce3273f75
SHA1316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exeFilesize
1.6MB
MD5db5af0b8f6e4bdb07b5bec9fb8de1b7f
SHA1c13e24f41335e760a568f90866d12db7a6e22c40
SHA256b7f10a2008a274bdff2ebcb2d62988346111eb4c599a0c0ad8f7a663e5829a3f
SHA512c2a98ea04ceabab081f518d1d7ec64926e84767e6a34d09e9af407aab6b1fb82c8b983c29da2369646d6af9dddfa3ea893fe414615a67ff43a225fa32cd3caa8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\feswa.exeFilesize
1.3MB
MD528cbe77f47c6e613c90cf1b449051bf2
SHA1f61c1774d50580f45fb5572f6692704450017422
SHA256ec44944da55ed605aa11199b62fa6ba170155d4a67f263a75888c61b6648b813
SHA512a622db347065565460c21b1b2eca70b4e5a4ee2ff8c97b7f955a96ed17c3791b0d0495b175580fddb661199f09524a1b6b75aaf5e2a2d33277f46cca75d55f07
-
C:\Users\Admin\AppData\Local\Temp\Tmp3C8C.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3816-51-0x0000000007150000-0x0000000007162000-memory.dmpFilesize
72KB
-
memory/3816-52-0x00000000071B0000-0x00000000071EC000-memory.dmpFilesize
240KB
-
memory/3816-26-0x0000000005A80000-0x0000000005B12000-memory.dmpFilesize
584KB
-
memory/3816-27-0x0000000005C40000-0x0000000005C50000-memory.dmpFilesize
64KB
-
memory/3816-28-0x00000000037C0000-0x00000000037CA000-memory.dmpFilesize
40KB
-
memory/3816-24-0x00000000728D0000-0x0000000073080000-memory.dmpFilesize
7.7MB
-
memory/3816-45-0x00000000066C0000-0x0000000006736000-memory.dmpFilesize
472KB
-
memory/3816-46-0x0000000006F80000-0x0000000006F9E000-memory.dmpFilesize
120KB
-
memory/3816-49-0x00000000076C0000-0x0000000007CD8000-memory.dmpFilesize
6.1MB
-
memory/3816-23-0x0000000000A40000-0x0000000000E14000-memory.dmpFilesize
3.8MB
-
memory/3816-50-0x0000000007210000-0x000000000731A000-memory.dmpFilesize
1.0MB
-
memory/3816-25-0x0000000005F90000-0x0000000006534000-memory.dmpFilesize
5.6MB
-
memory/3816-53-0x0000000007320000-0x000000000736C000-memory.dmpFilesize
304KB
-
memory/3816-54-0x0000000007460000-0x00000000074C6000-memory.dmpFilesize
408KB
-
memory/3816-57-0x0000000007670000-0x00000000076C0000-memory.dmpFilesize
320KB
-
memory/3816-59-0x0000000000A40000-0x0000000000E14000-memory.dmpFilesize
3.8MB
-
memory/3816-61-0x00000000728D0000-0x0000000073080000-memory.dmpFilesize
7.7MB
-
memory/3816-62-0x0000000005C40000-0x0000000005C50000-memory.dmpFilesize
64KB
-
memory/3816-64-0x0000000008630000-0x00000000087F2000-memory.dmpFilesize
1.8MB
-
memory/3816-65-0x0000000008D30000-0x000000000925C000-memory.dmpFilesize
5.2MB
-
memory/3816-68-0x0000000000A40000-0x0000000000E14000-memory.dmpFilesize
3.8MB
-
memory/3816-69-0x00000000728D0000-0x0000000073080000-memory.dmpFilesize
7.7MB
-
memory/3816-22-0x0000000000A40000-0x0000000000E14000-memory.dmpFilesize
3.8MB