Analysis
-
max time kernel
19s -
max time network
16s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 06:36
Static task
static1
Behavioral task
behavioral1
Sample
8b021c061663ac4e87fd8568b47268f8.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
8b021c061663ac4e87fd8568b47268f8.exe
Resource
win10v20201028
General
-
Target
8b021c061663ac4e87fd8568b47268f8.exe
-
Size
334KB
-
MD5
8b021c061663ac4e87fd8568b47268f8
-
SHA1
6c22ee34fb6a7b6f83d872ed8a96330a6874d229
-
SHA256
b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e
-
SHA512
30a42177b43e5b295f5497462ae963f2be7f7b4aaf656114fefc133de4a2def4f1629bcdb310e0234f684e65bc84874d5c9f3807632ebf659ff2ee3f387b786f
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1580-6-0x0000000006950000-0x0000000006973000-memory.dmp family_redline behavioral1/memory/1580-7-0x00000000069A0000-0x00000000069C2000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
8b021c061663ac4e87fd8568b47268f8.exepid process 1580 8b021c061663ac4e87fd8568b47268f8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8b021c061663ac4e87fd8568b47268f8.exedescription pid process Token: SeDebugPrivilege 1580 8b021c061663ac4e87fd8568b47268f8.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8b021c061663ac4e87fd8568b47268f8.execmd.exedescription pid process target process PID 1580 wrote to memory of 952 1580 8b021c061663ac4e87fd8568b47268f8.exe cmd.exe PID 1580 wrote to memory of 952 1580 8b021c061663ac4e87fd8568b47268f8.exe cmd.exe PID 1580 wrote to memory of 952 1580 8b021c061663ac4e87fd8568b47268f8.exe cmd.exe PID 1580 wrote to memory of 952 1580 8b021c061663ac4e87fd8568b47268f8.exe cmd.exe PID 952 wrote to memory of 1080 952 cmd.exe PING.EXE PID 952 wrote to memory of 1080 952 cmd.exe PING.EXE PID 952 wrote to memory of 1080 952 cmd.exe PING.EXE PID 952 wrote to memory of 1080 952 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b021c061663ac4e87fd8568b47268f8.exe"C:\Users\Admin\AppData\Local\Temp\8b021c061663ac4e87fd8568b47268f8.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/952-8-0x0000000000000000-mapping.dmp
-
memory/1080-9-0x0000000000000000-mapping.dmp
-
memory/1580-2-0x000000000521E000-0x000000000521F000-memory.dmpFilesize
4KB
-
memory/1580-3-0x00000000068D0000-0x00000000068E1000-memory.dmpFilesize
68KB
-
memory/1580-4-0x0000000006A50000-0x0000000006A61000-memory.dmpFilesize
68KB
-
memory/1580-5-0x00000000744C0000-0x0000000074BAE000-memory.dmpFilesize
6.9MB
-
memory/1580-6-0x0000000006950000-0x0000000006973000-memory.dmpFilesize
140KB
-
memory/1580-7-0x00000000069A0000-0x00000000069C2000-memory.dmpFilesize
136KB