Analysis
-
max time kernel
28s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 06:01
Static task
static1
Behavioral task
behavioral1
Sample
E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
Resource
win7-20240704-en
General
-
Target
E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
-
Size
657KB
-
MD5
e87ad5f7041eff087b6bff15cf1dab3a
-
SHA1
9a22fb7c1769a517b4b72e4310ff7c9f399f0f32
-
SHA256
a03e5ea28a045edffc05c69ec5d06601425b60ec2523448bd46e14ff17643c95
-
SHA512
b6477f6e27aefd2851b5827ef202e7b918e5085afaa21ad9fdbde3d3aeae87cd4e1020ce207e1b276ed472c77f30063abde39f24e71c657bbfe9bf6191b5a815
-
SSDEEP
12288:J7PcxgeYL893+uJ6C+Qs8ffuc2BgFEM0XZJEmJ2rIO:JbcYgBqSfuc2Bgn0smJUN
Malware Config
Extracted
redline
cheat
185.222.57.147:55615
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2584-13-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2584-21-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2584-19-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2584-17-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2584-12-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2584-13-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2584-21-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2584-19-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2584-17-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2584-12-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
E87AD5F7041EFF087B6BFF15CF1DAB3A.exedescription pid process target process PID 2488 set thread context of 2584 2488 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe E87AD5F7041EFF087B6BFF15CF1DAB3A.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
E87AD5F7041EFF087B6BFF15CF1DAB3A.exeE87AD5F7041EFF087B6BFF15CF1DAB3A.exepid process 2488 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe 2488 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe 2488 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe 2584 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe 2584 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
E87AD5F7041EFF087B6BFF15CF1DAB3A.exeE87AD5F7041EFF087B6BFF15CF1DAB3A.exedescription pid process Token: SeDebugPrivilege 2488 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe Token: SeDebugPrivilege 2584 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
E87AD5F7041EFF087B6BFF15CF1DAB3A.exedescription pid process target process PID 2488 wrote to memory of 2584 2488 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe E87AD5F7041EFF087B6BFF15CF1DAB3A.exe PID 2488 wrote to memory of 2584 2488 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe E87AD5F7041EFF087B6BFF15CF1DAB3A.exe PID 2488 wrote to memory of 2584 2488 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe E87AD5F7041EFF087B6BFF15CF1DAB3A.exe PID 2488 wrote to memory of 2584 2488 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe E87AD5F7041EFF087B6BFF15CF1DAB3A.exe PID 2488 wrote to memory of 2584 2488 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe E87AD5F7041EFF087B6BFF15CF1DAB3A.exe PID 2488 wrote to memory of 2584 2488 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe E87AD5F7041EFF087B6BFF15CF1DAB3A.exe PID 2488 wrote to memory of 2584 2488 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe E87AD5F7041EFF087B6BFF15CF1DAB3A.exe PID 2488 wrote to memory of 2584 2488 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe E87AD5F7041EFF087B6BFF15CF1DAB3A.exe PID 2488 wrote to memory of 2584 2488 E87AD5F7041EFF087B6BFF15CF1DAB3A.exe E87AD5F7041EFF087B6BFF15CF1DAB3A.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\E87AD5F7041EFF087B6BFF15CF1DAB3A.exe"C:\Users\Admin\AppData\Local\Temp\E87AD5F7041EFF087B6BFF15CF1DAB3A.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E87AD5F7041EFF087B6BFF15CF1DAB3A.exe"C:\Users\Admin\AppData\Local\Temp\E87AD5F7041EFF087B6BFF15CF1DAB3A.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5D62.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp5DB6.tmpFilesize
92KB
MD5dd6944619a1cff7c63c0e49ed65368ca
SHA1a055ce9efa2206cdc35b924d43a5d06f453ce777
SHA25658ea6de2879649260c0a62b6e8e045e88c3311978e993f63a8dfcdb0dba9f05d
SHA512856d454cd202fc39bec08f7ea7fb9c631e5531c1d5ffc269d3ea4ef2cdd568b176da0f8e00ffd8c80eaad461cecbce213fa4cd46b142a7760fd32815261fddd7
-
memory/2488-22-0x0000000073B60000-0x000000007424E000-memory.dmpFilesize
6.9MB
-
memory/2488-0-0x0000000073B6E000-0x0000000073B6F000-memory.dmpFilesize
4KB
-
memory/2488-4-0x00000000003A0000-0x00000000003B0000-memory.dmpFilesize
64KB
-
memory/2488-5-0x0000000000500000-0x000000000050E000-memory.dmpFilesize
56KB
-
memory/2488-6-0x0000000000E20000-0x0000000000E80000-memory.dmpFilesize
384KB
-
memory/2488-3-0x0000000000A10000-0x0000000000A82000-memory.dmpFilesize
456KB
-
memory/2488-1-0x0000000000E90000-0x0000000000F3A000-memory.dmpFilesize
680KB
-
memory/2488-2-0x0000000073B60000-0x000000007424E000-memory.dmpFilesize
6.9MB
-
memory/2584-9-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2584-19-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2584-8-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2584-17-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2584-12-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2584-21-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2584-23-0x0000000073B60000-0x000000007424E000-memory.dmpFilesize
6.9MB
-
memory/2584-24-0x0000000073B60000-0x000000007424E000-memory.dmpFilesize
6.9MB
-
memory/2584-13-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2584-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2584-97-0x0000000073B60000-0x000000007424E000-memory.dmpFilesize
6.9MB