Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    16-01-2021 07:30

General

  • Target

    1c7b5feef64697929d2b89c6e53e1642.exe

  • Size

    352KB

  • MD5

    1c7b5feef64697929d2b89c6e53e1642

  • SHA1

    3188662f3ce00e97131f98c9824c8d26e5086bbb

  • SHA256

    521bbb71dd98cad2946f25016fe0eb27ce076423b09819abc5dd09d24939a769

  • SHA512

    0e76a0478a865305166f09d619f9fe95a07a54d1e591824f7b5ffd7726179b873104dcca281ae7ac10f1bc1ac18fffeebb45daaa4e4d73ebde6757a9031bfaf7

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c7b5feef64697929d2b89c6e53e1642.exe
    "C:\Users\Admin\AppData\Local\Temp\1c7b5feef64697929d2b89c6e53e1642.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1036

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1036-2-0x000000000474C000-0x000000000474D000-memory.dmp

    Filesize

    4KB

  • memory/1036-3-0x0000000006080000-0x0000000006091000-memory.dmp

    Filesize

    68KB

  • memory/1036-4-0x00000000061F0000-0x0000000006201000-memory.dmp

    Filesize

    68KB

  • memory/1036-5-0x0000000074880000-0x0000000074F6E000-memory.dmp

    Filesize

    6.9MB

  • memory/1036-6-0x00000000046C0000-0x00000000046E9000-memory.dmp

    Filesize

    164KB

  • memory/1036-7-0x0000000004700000-0x0000000004727000-memory.dmp

    Filesize

    156KB