Analysis
-
max time kernel
47s -
max time network
102s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02-11-2020 15:39
Static task
static1
Behavioral task
behavioral1
Sample
be42138c007747b94d01e4b2b1698498.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
be42138c007747b94d01e4b2b1698498.exe
Resource
win10v20201028
General
-
Target
be42138c007747b94d01e4b2b1698498.exe
-
Size
1.4MB
-
MD5
be42138c007747b94d01e4b2b1698498
-
SHA1
67261c10902204f1aab2ae88d89325e705c76329
-
SHA256
b4c89616a5a88bf22085f8f4322ad8935265dc5d34248bb1332dbc1d4537c9e8
-
SHA512
c1e33805c33ac0889197fe5fd7eadbe037487bddd7cec5f30c4dc85d3ec1368fa4404cfb3c2afcf5d5d3638ac852c5c1b41b6537005405a052a893746007ae39
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3200-5-0x0000000000400000-0x000000000042A000-memory.dmp family_redline behavioral2/memory/3200-6-0x000000000042411A-mapping.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 checkip.amazonaws.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
be42138c007747b94d01e4b2b1698498.exedescription pid process target process PID 4796 set thread context of 3200 4796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
be42138c007747b94d01e4b2b1698498.exebe42138c007747b94d01e4b2b1698498.exepid process 4796 be42138c007747b94d01e4b2b1698498.exe 4796 be42138c007747b94d01e4b2b1698498.exe 3200 be42138c007747b94d01e4b2b1698498.exe 3200 be42138c007747b94d01e4b2b1698498.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
be42138c007747b94d01e4b2b1698498.exebe42138c007747b94d01e4b2b1698498.exedescription pid process Token: SeDebugPrivilege 4796 be42138c007747b94d01e4b2b1698498.exe Token: SeDebugPrivilege 3200 be42138c007747b94d01e4b2b1698498.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
be42138c007747b94d01e4b2b1698498.exebe42138c007747b94d01e4b2b1698498.execmd.exedescription pid process target process PID 4796 wrote to memory of 1016 4796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 4796 wrote to memory of 1016 4796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 4796 wrote to memory of 1016 4796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 4796 wrote to memory of 3200 4796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 4796 wrote to memory of 3200 4796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 4796 wrote to memory of 3200 4796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 4796 wrote to memory of 3200 4796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 4796 wrote to memory of 3200 4796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 4796 wrote to memory of 3200 4796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 4796 wrote to memory of 3200 4796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 4796 wrote to memory of 3200 4796 be42138c007747b94d01e4b2b1698498.exe be42138c007747b94d01e4b2b1698498.exe PID 3200 wrote to memory of 1680 3200 be42138c007747b94d01e4b2b1698498.exe cmd.exe PID 3200 wrote to memory of 1680 3200 be42138c007747b94d01e4b2b1698498.exe cmd.exe PID 3200 wrote to memory of 1680 3200 be42138c007747b94d01e4b2b1698498.exe cmd.exe PID 1680 wrote to memory of 1876 1680 cmd.exe PING.EXE PID 1680 wrote to memory of 1876 1680 cmd.exe PING.EXE PID 1680 wrote to memory of 1876 1680 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\be42138c007747b94d01e4b2b1698498.exe"C:\Users\Admin\AppData\Local\Temp\be42138c007747b94d01e4b2b1698498.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\be42138c007747b94d01e4b2b1698498.exe"C:\Users\Admin\AppData\Local\Temp\be42138c007747b94d01e4b2b1698498.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\be42138c007747b94d01e4b2b1698498.exe"C:\Users\Admin\AppData\Local\Temp\be42138c007747b94d01e4b2b1698498.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Local\Temp\be42138c007747b94d01e4b2b1698498.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\be42138c007747b94d01e4b2b1698498.exe.logMD5
605f809fab8c19729d39d075f7ffdb53
SHA1c546f877c9bd53563174a90312a8337fdfc5fdd9
SHA2566904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556
SHA51282cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3
-
memory/1680-32-0x0000000000000000-mapping.dmp
-
memory/1876-33-0x0000000000000000-mapping.dmp
-
memory/3200-15-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/3200-17-0x0000000006BB0000-0x0000000006BB1000-memory.dmpFilesize
4KB
-
memory/3200-6-0x000000000042411A-mapping.dmp
-
memory/3200-31-0x0000000007520000-0x0000000007521000-memory.dmpFilesize
4KB
-
memory/3200-8-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/3200-11-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/3200-12-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/3200-13-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/3200-14-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/3200-29-0x0000000007380000-0x0000000007419000-memory.dmpFilesize
612KB
-
memory/3200-16-0x00000000064B0000-0x00000000064B1000-memory.dmpFilesize
4KB
-
memory/3200-5-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3200-18-0x0000000006680000-0x0000000006681000-memory.dmpFilesize
4KB
-
memory/3200-19-0x00000000075E0000-0x00000000075E1000-memory.dmpFilesize
4KB
-
memory/3200-20-0x00000000067A0000-0x00000000067A1000-memory.dmpFilesize
4KB
-
memory/3200-21-0x0000000006720000-0x0000000006721000-memory.dmpFilesize
4KB
-
memory/3200-22-0x0000000006AF0000-0x0000000006AF1000-memory.dmpFilesize
4KB
-
memory/3200-23-0x0000000007380000-0x0000000007419000-memory.dmpFilesize
612KB
-
memory/4796-0-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/4796-4-0x00000000025A0000-0x00000000025B6000-memory.dmpFilesize
88KB
-
memory/4796-3-0x0000000004990000-0x00000000049C4000-memory.dmpFilesize
208KB
-
memory/4796-1-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB