Analysis
-
max time kernel
24s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 06:36
General
-
Target
b8dc0d47a02656e13ca9337fe8d1b5d0.exe
-
Size
334KB
-
MD5
b8dc0d47a02656e13ca9337fe8d1b5d0
-
SHA1
ba2327322c6f1e7bc081bd885ef89fe40e9837ca
-
SHA256
cecd98d6dda67e9a447f9d59666feb8be4259e9c40cc49c29a2af94504145b54
-
SHA512
a70f29493bb28ee884b9fddc726ae3410bb101101ed8c48881300cf64aeefb88b8f0365a5766a37c66d598cf96d62f13259fd9d46197bfb0db904f9d3b726407
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8dc0d47a02656e13ca9337fe8d1b5d0.exe"C:\Users\Admin\AppData\Local\Temp\b8dc0d47a02656e13ca9337fe8d1b5d0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
196KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
140KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-