Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
01-11-2020 06:47
Static task
static1
Behavioral task
behavioral1
Sample
6943b3380427465a7998ddf3a96945a0.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
6943b3380427465a7998ddf3a96945a0.exe
Resource
win10v20201028
General
-
Target
6943b3380427465a7998ddf3a96945a0.exe
-
Size
343KB
-
MD5
6943b3380427465a7998ddf3a96945a0
-
SHA1
abb680ef5e005da1610828d518c15a250b001fd9
-
SHA256
94e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb
-
SHA512
5c8fb35986df56b3f6f7b850a98455ab3d767372b57838d54c9faf280826975a0f2a0828fa977469a3d5e02ce9f7bea23e8b574cf793f4264f385e871de8277d
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1040-4-0x0000000002360000-0x0000000002384000-memory.dmp family_redline behavioral1/memory/1040-5-0x0000000003FB0000-0x0000000003FD2000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 checkip.amazonaws.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6943b3380427465a7998ddf3a96945a0.exepid process 1040 6943b3380427465a7998ddf3a96945a0.exe 1040 6943b3380427465a7998ddf3a96945a0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6943b3380427465a7998ddf3a96945a0.exedescription pid process Token: SeDebugPrivilege 1040 6943b3380427465a7998ddf3a96945a0.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6943b3380427465a7998ddf3a96945a0.execmd.exedescription pid process target process PID 1040 wrote to memory of 1468 1040 6943b3380427465a7998ddf3a96945a0.exe cmd.exe PID 1040 wrote to memory of 1468 1040 6943b3380427465a7998ddf3a96945a0.exe cmd.exe PID 1040 wrote to memory of 1468 1040 6943b3380427465a7998ddf3a96945a0.exe cmd.exe PID 1040 wrote to memory of 1468 1040 6943b3380427465a7998ddf3a96945a0.exe cmd.exe PID 1468 wrote to memory of 828 1468 cmd.exe PING.EXE PID 1468 wrote to memory of 828 1468 cmd.exe PING.EXE PID 1468 wrote to memory of 828 1468 cmd.exe PING.EXE PID 1468 wrote to memory of 828 1468 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6943b3380427465a7998ddf3a96945a0.exe"C:\Users\Admin\AppData\Local\Temp\6943b3380427465a7998ddf3a96945a0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/828-9-0x0000000000000000-mapping.dmp
-
memory/1040-0-0x0000000002459000-0x000000000245A000-memory.dmpFilesize
4KB
-
memory/1040-1-0x0000000003E40000-0x0000000003E51000-memory.dmpFilesize
68KB
-
memory/1040-2-0x0000000004060000-0x0000000004071000-memory.dmpFilesize
68KB
-
memory/1040-3-0x0000000074800000-0x0000000074EEE000-memory.dmpFilesize
6.9MB
-
memory/1040-4-0x0000000002360000-0x0000000002384000-memory.dmpFilesize
144KB
-
memory/1040-5-0x0000000003FB0000-0x0000000003FD2000-memory.dmpFilesize
136KB
-
memory/1468-8-0x0000000000000000-mapping.dmp