Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
02-11-2020 15:39
Static task
static1
Behavioral task
behavioral1
Sample
be42138c007747b94d01e4b2b1698498.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
be42138c007747b94d01e4b2b1698498.exe
Resource
win10v20201028
General
-
Target
be42138c007747b94d01e4b2b1698498.exe
-
Size
1.4MB
-
MD5
be42138c007747b94d01e4b2b1698498
-
SHA1
67261c10902204f1aab2ae88d89325e705c76329
-
SHA256
b4c89616a5a88bf22085f8f4322ad8935265dc5d34248bb1332dbc1d4537c9e8
-
SHA512
c1e33805c33ac0889197fe5fd7eadbe037487bddd7cec5f30c4dc85d3ec1368fa4404cfb3c2afcf5d5d3638ac852c5c1b41b6537005405a052a893746007ae39
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1200-6-0x000000000042411A-mapping.dmp family_redline behavioral1/memory/1200-5-0x0000000000400000-0x000000000042A000-memory.dmp family_redline behavioral1/memory/1200-7-0x0000000000400000-0x000000000042A000-memory.dmp family_redline behavioral1/memory/1200-8-0x0000000000400000-0x000000000042A000-memory.dmp family_redline -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.amazonaws.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
be42138c007747b94d01e4b2b1698498.exedescription pid process target process PID 796 set thread context of 1200 796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
be42138c007747b94d01e4b2b1698498.exepid process 1200 be42138c007747b94d01e4b2b1698498.exe 1200 be42138c007747b94d01e4b2b1698498.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
be42138c007747b94d01e4b2b1698498.exebe42138c007747b94d01e4b2b1698498.exedescription pid process Token: SeDebugPrivilege 796 be42138c007747b94d01e4b2b1698498.exe Token: SeDebugPrivilege 1200 be42138c007747b94d01e4b2b1698498.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
be42138c007747b94d01e4b2b1698498.exebe42138c007747b94d01e4b2b1698498.execmd.exedescription pid process target process PID 796 wrote to memory of 1200 796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 796 wrote to memory of 1200 796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 796 wrote to memory of 1200 796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 796 wrote to memory of 1200 796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 796 wrote to memory of 1200 796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 796 wrote to memory of 1200 796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 796 wrote to memory of 1200 796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 796 wrote to memory of 1200 796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 796 wrote to memory of 1200 796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 796 wrote to memory of 1200 796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 796 wrote to memory of 1200 796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 796 wrote to memory of 1200 796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 1200 wrote to memory of 432 1200 be42138c007747b94d01e4b2b1698498.exe cmd.exe PID 1200 wrote to memory of 432 1200 be42138c007747b94d01e4b2b1698498.exe cmd.exe PID 1200 wrote to memory of 432 1200 be42138c007747b94d01e4b2b1698498.exe cmd.exe PID 1200 wrote to memory of 432 1200 be42138c007747b94d01e4b2b1698498.exe cmd.exe PID 432 wrote to memory of 1696 432 cmd.exe PING.EXE PID 432 wrote to memory of 1696 432 cmd.exe PING.EXE PID 432 wrote to memory of 1696 432 cmd.exe PING.EXE PID 432 wrote to memory of 1696 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\be42138c007747b94d01e4b2b1698498.exe"C:\Users\Admin\AppData\Local\Temp\be42138c007747b94d01e4b2b1698498.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\be42138c007747b94d01e4b2b1698498.exe"C:\Users\Admin\AppData\Local\Temp\be42138c007747b94d01e4b2b1698498.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Local\Temp\be42138c007747b94d01e4b2b1698498.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/432-12-0x0000000000000000-mapping.dmp
-
memory/796-0-0x00000000740C0000-0x00000000747AE000-memory.dmpFilesize
6.9MB
-
memory/796-1-0x0000000000D00000-0x0000000000D01000-memory.dmpFilesize
4KB
-
memory/796-3-0x00000000003C0000-0x00000000003F4000-memory.dmpFilesize
208KB
-
memory/796-4-0x00000000002A0000-0x00000000002B6000-memory.dmpFilesize
88KB
-
memory/1200-6-0x000000000042411A-mapping.dmp
-
memory/1200-5-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1200-7-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1200-8-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1200-9-0x00000000740C0000-0x00000000747AE000-memory.dmpFilesize
6.9MB
-
memory/1696-13-0x0000000000000000-mapping.dmp