Analysis
-
max time kernel
21s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-01-2021 14:31
Static task
static1
Behavioral task
behavioral1
Sample
85976e531510c3f092d3a7e8ca5d04fd.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
85976e531510c3f092d3a7e8ca5d04fd.exe
Resource
win10v20201028
General
-
Target
85976e531510c3f092d3a7e8ca5d04fd.exe
-
Size
324KB
-
MD5
85976e531510c3f092d3a7e8ca5d04fd
-
SHA1
f58570d7373d487c7d3e01d4de09ab456408a046
-
SHA256
d5a592a952140b52fde783c6281f82986a3aee2f05de63fe7b6ff2d76db11670
-
SHA512
096b15da27c008c7889ed897f8331db4e9fc80b281172b4e7ba601585988b8f279af88db2cbe4327eea1d4938324c3890d2a2dae24bef8429a1f85d173c3ea09
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral2/memory/3888-7-0x0000000006580000-0x00000000065A9000-memory.dmp family_redline behavioral2/memory/3888-9-0x0000000008CA0000-0x0000000008CC8000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3888 85976e531510c3f092d3a7e8ca5d04fd.exe 3888 85976e531510c3f092d3a7e8ca5d04fd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3888 85976e531510c3f092d3a7e8ca5d04fd.exe