Analysis
-
max time kernel
21s -
max time network
19s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-01-2021 14:31
Static task
static1
Behavioral task
behavioral1
Sample
85976e531510c3f092d3a7e8ca5d04fd.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
85976e531510c3f092d3a7e8ca5d04fd.exe
Resource
win10v20201028
General
-
Target
85976e531510c3f092d3a7e8ca5d04fd.exe
-
Size
324KB
-
MD5
85976e531510c3f092d3a7e8ca5d04fd
-
SHA1
f58570d7373d487c7d3e01d4de09ab456408a046
-
SHA256
d5a592a952140b52fde783c6281f82986a3aee2f05de63fe7b6ff2d76db11670
-
SHA512
096b15da27c008c7889ed897f8331db4e9fc80b281172b4e7ba601585988b8f279af88db2cbe4327eea1d4938324c3890d2a2dae24bef8429a1f85d173c3ea09
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1852-7-0x00000000061C0000-0x00000000061E9000-memory.dmp family_redline behavioral1/memory/1852-13-0x00000000061F0000-0x0000000006218000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
85976e531510c3f092d3a7e8ca5d04fd.exepid process 1852 85976e531510c3f092d3a7e8ca5d04fd.exe 1852 85976e531510c3f092d3a7e8ca5d04fd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
85976e531510c3f092d3a7e8ca5d04fd.exedescription pid process Token: SeDebugPrivilege 1852 85976e531510c3f092d3a7e8ca5d04fd.exe