Analysis
-
max time kernel
25s -
max time network
23s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
02-11-2020 08:51
Static task
static1
Behavioral task
behavioral1
Sample
gfersd.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
gfersd.exe
Resource
win10v20201028
General
-
Target
gfersd.exe
-
Size
343KB
-
MD5
72131adb0e2315281aae445db11e09a2
-
SHA1
712ca2ebaa7d9bc9bbe18f7843954cfb0d22b08e
-
SHA256
9ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65
-
SHA512
bbc68fa0c586aaa7227da59848407672e7629e8f1289384add8638c21bab69d41495bcfc7881446b527e5aa4db14e1babc4f71dfee32b69705e6d3b64bf46a22
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1756-4-0x0000000006580000-0x00000000065A4000-memory.dmp family_redline behavioral1/memory/1756-5-0x00000000065B0000-0x00000000065D2000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.amazonaws.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
gfersd.exepid process 1756 gfersd.exe 1756 gfersd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gfersd.exedescription pid process Token: SeDebugPrivilege 1756 gfersd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
gfersd.execmd.exedescription pid process target process PID 1756 wrote to memory of 1648 1756 gfersd.exe cmd.exe PID 1756 wrote to memory of 1648 1756 gfersd.exe cmd.exe PID 1756 wrote to memory of 1648 1756 gfersd.exe cmd.exe PID 1756 wrote to memory of 1648 1756 gfersd.exe cmd.exe PID 1648 wrote to memory of 940 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 940 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 940 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 940 1648 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\gfersd.exe"C:\Users\Admin\AppData\Local\Temp\gfersd.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/940-7-0x0000000000000000-mapping.dmp
-
memory/1648-6-0x0000000000000000-mapping.dmp
-
memory/1756-0-0x0000000002429000-0x000000000242A000-memory.dmpFilesize
4KB
-
memory/1756-1-0x0000000003C20000-0x0000000003C31000-memory.dmpFilesize
68KB
-
memory/1756-2-0x0000000003E50000-0x0000000003E61000-memory.dmpFilesize
68KB
-
memory/1756-3-0x0000000073D40000-0x000000007442E000-memory.dmpFilesize
6.9MB
-
memory/1756-4-0x0000000006580000-0x00000000065A4000-memory.dmpFilesize
144KB
-
memory/1756-5-0x00000000065B0000-0x00000000065D2000-memory.dmpFilesize
136KB