Overview

overview

10

Static

static

1bece3fc71...d3.exe

windows7_x64

10

1bece3fc71...d3.exe

windows10_x64

10

Analysis

  • max time kernel
    28s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    22-12-2020 12:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bece3fc719dffcc6b9d02256a39c0d3.exe

  • Size

    590KB

  • MD5

    1bece3fc719dffcc6b9d02256a39c0d3

  • SHA1

    f6e9418f9f1c172518e2fe5cd10b1d94e26c9c30

  • SHA256

    3d402a866fb1dc18d7eaaa64013502d3184c25b9f5c93bfa916b5d15cda34a11

  • SHA512

    b8bb2937917bbe8c6f293d493712fcfb13cd89c3b99b070bb264d9f5f4ad710bc11023ec3b3d1accbf172509416de09b68199bc5a6cf291a3d46a0a2e325e74a

Score
10/10
redlineinfostealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bece3fc719dffcc6b9d02256a39c0d3.exe
    "C:\Users\Admin\AppData\Local\Temp\1bece3fc719dffcc6b9d02256a39c0d3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1020
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 3
          4⤵
          • Runs ping.exe
          PID:1112
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1776
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:548

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/548-16-0x0000000000000000-mapping.dmp

    Download

  • memory/548-17-0x0000000001F40000-0x0000000001F51000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1020-18-0x0000000000000000-mapping.dmp

    Download

  • memory/1112-19-0x0000000000000000-mapping.dmp

    Download

  • memory/1780-12-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1780-9-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1780-10-0x00000000004201CE-mapping.dmp

    Download

  • memory/1780-11-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1780-13-0x00000000749E0000-0x00000000750CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1824-8-0x0000000000310000-0x0000000000311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1824-2-0x00000000749E0000-0x00000000750CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1824-7-0x0000000000300000-0x0000000000310000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1824-6-0x0000000000A80000-0x0000000000AAC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1824-5-0x0000000000480000-0x00000000004A5000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1824-3-0x00000000011B0000-0x00000000011B1000-memory.dmp

    Filesize

    4KB

    Download