Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 18:08
Static task
static1
Behavioral task
behavioral1
Sample
excellent.rar
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
excellent.rar
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
excellent.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
excellent.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
libGLESv2.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
libGLESv2.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
updater.ini
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
updater.ini
Resource
win10v2004-20240226-en
General
-
Target
excellent.rar
-
Size
8.2MB
-
MD5
74390a2247fd11601ddbe918121b2a2a
-
SHA1
67986feefd597389e1fc1d8386af318100f446a2
-
SHA256
0a31cb7d5b2cdaec7287a6e3a9338f7da9922b85693d5111aa50ec43dde3d3de
-
SHA512
05be574b9b39197e7da11949a9e8d8d07eefffcdd91b26127356e53f0952c03d8e5668b9bffc3fefe8b67ea35fdc292c70275981312b7516afd11dd4f87ace9f
-
SSDEEP
196608:tDT22I/nk9psflVIhoFaTQRn4gE+trIghtZmUmvBH:tDLI/nYUlVJRBDEgrIgh6Xvd
Malware Config
Extracted
redline
6627938439_99
https://t.me/+J_Z1QGHfHko0MGZi*https://steamcommunity.com/id/elcadillac
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3792-16-0x00000000001C0000-0x00000000001E2000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
excellent.exepid process 2748 excellent.exe -
Loads dropped DLL 1 IoCs
Processes:
excellent.exepid process 2748 excellent.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
excellent.exedescription pid process target process PID 2748 set thread context of 3792 2748 excellent.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
MSBuild.exepid process 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe 3792 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 1384 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zFM.exeMSBuild.exedescription pid process Token: SeRestorePrivilege 1384 7zFM.exe Token: 35 1384 7zFM.exe Token: SeSecurityPrivilege 1384 7zFM.exe Token: SeDebugPrivilege 3792 MSBuild.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid process 1384 7zFM.exe 1384 7zFM.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.exeexcellent.exedescription pid process target process PID 4832 wrote to memory of 1384 4832 cmd.exe 7zFM.exe PID 4832 wrote to memory of 1384 4832 cmd.exe 7zFM.exe PID 2748 wrote to memory of 3792 2748 excellent.exe MSBuild.exe PID 2748 wrote to memory of 3792 2748 excellent.exe MSBuild.exe PID 2748 wrote to memory of 3792 2748 excellent.exe MSBuild.exe PID 2748 wrote to memory of 3792 2748 excellent.exe MSBuild.exe PID 2748 wrote to memory of 3792 2748 excellent.exe MSBuild.exe PID 2748 wrote to memory of 3792 2748 excellent.exe MSBuild.exe PID 2748 wrote to memory of 3792 2748 excellent.exe MSBuild.exe PID 2748 wrote to memory of 3792 2748 excellent.exe MSBuild.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\excellent.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\excellent.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\excellent.exe"C:\Users\Admin\Desktop\excellent.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\d3d9.dllFilesize
231KB
MD540ac80e3b938041fb1af40368973ac95
SHA1076439ed562ea031ae1dfbe0693e5d5d7f75850c
SHA256035fdc6610474b861796d4f96c9f8f9ea2a74e9ccbc1d9d718f434ca638f6ca6
SHA512c458bfefebcf831933befb5bb3193733c09176157e2c602f321db8ec7577d93ddf58430cd8b042e2f9fe086ef90e3d40e570b2b9f43cdbbc299db18e93426bad
-
C:\Users\Admin\Desktop\excellent.exeFilesize
296KB
MD5efad4f96f696391769ef9944978dbb3b
SHA142ad30f7af140544eaeb8cc32d8fe5568aca8944
SHA25626e9f0c78dde027c60eeacca5852a8f08853c440048ae45cbb054fd12e0cddd2
SHA512427b793cd433be1251d8348a5d788ff4c927c5c78c6d2ad15a5de4de64f57e1c0182534d180de388734e28a4563f1b92fc30f1365356bd2fe6546beaf6da9da4
-
memory/2748-8-0x0000000000D40000-0x0000000000D94000-memory.dmpFilesize
336KB
-
memory/2748-9-0x0000000003330000-0x0000000003336000-memory.dmpFilesize
24KB
-
memory/3792-21-0x0000000005040000-0x000000000514A000-memory.dmpFilesize
1.0MB
-
memory/3792-24-0x0000000006060000-0x0000000006222000-memory.dmpFilesize
1.8MB
-
memory/3792-19-0x0000000005490000-0x0000000005AA8000-memory.dmpFilesize
6.1MB
-
memory/3792-20-0x0000000004F10000-0x0000000004F22000-memory.dmpFilesize
72KB
-
memory/3792-16-0x00000000001C0000-0x00000000001E2000-memory.dmpFilesize
136KB
-
memory/3792-22-0x0000000005CF0000-0x0000000005D2C000-memory.dmpFilesize
240KB
-
memory/3792-23-0x0000000005D30000-0x0000000005D7C000-memory.dmpFilesize
304KB
-
memory/3792-18-0x0000000004980000-0x00000000049E6000-memory.dmpFilesize
408KB
-
memory/3792-25-0x0000000006760000-0x0000000006C8C000-memory.dmpFilesize
5.2MB
-
memory/3792-26-0x0000000007240000-0x00000000077E4000-memory.dmpFilesize
5.6MB
-
memory/3792-27-0x00000000063D0000-0x0000000006462000-memory.dmpFilesize
584KB
-
memory/3792-28-0x0000000006470000-0x00000000064C0000-memory.dmpFilesize
320KB
-
memory/3792-29-0x0000000006620000-0x0000000006696000-memory.dmpFilesize
472KB
-
memory/3792-30-0x00000000064C0000-0x00000000064DE000-memory.dmpFilesize
120KB