Analysis
-
max time kernel
150s -
max time network
92s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-02-2021 09:31
Static task
static1
Behavioral task
behavioral1
Sample
0bb400582081d479bbf36c374b1b384a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0bb400582081d479bbf36c374b1b384a.exe
Resource
win10v20201028
General
-
Target
0bb400582081d479bbf36c374b1b384a.exe
-
Size
338KB
-
MD5
0bb400582081d479bbf36c374b1b384a
-
SHA1
9a55d9786f73e1c4a81de9c965527717d169a29d
-
SHA256
f4c347b4a344291c7e62fc77734b3e403358723874f7460ea4e2a6f2c3659b48
-
SHA512
54c2035aa64df182c020b8e283ab6cd50988d4686c0889abee28ca03235d98bc2875151b7550d0c978839046d7841825dafb38509891a17beb7a733512d90508
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/308-7-0x0000000003E40000-0x0000000003E6C000-memory.dmp family_redline behavioral1/memory/308-8-0x00000000064C0000-0x00000000064EA000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
o.exepid process 396 o.exe -
Loads dropped DLL 1 IoCs
Processes:
0bb400582081d479bbf36c374b1b384a.exepid process 308 0bb400582081d479bbf36c374b1b384a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
0bb400582081d479bbf36c374b1b384a.exeo.exepid process 308 0bb400582081d479bbf36c374b1b384a.exe 308 0bb400582081d479bbf36c374b1b384a.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe 396 o.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0bb400582081d479bbf36c374b1b384a.exeo.exedescription pid process Token: SeDebugPrivilege 308 0bb400582081d479bbf36c374b1b384a.exe Token: SeDebugPrivilege 396 o.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
o.exepid process 396 o.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
0bb400582081d479bbf36c374b1b384a.exedescription pid process target process PID 308 wrote to memory of 396 308 0bb400582081d479bbf36c374b1b384a.exe o.exe PID 308 wrote to memory of 396 308 0bb400582081d479bbf36c374b1b384a.exe o.exe PID 308 wrote to memory of 396 308 0bb400582081d479bbf36c374b1b384a.exe o.exe PID 308 wrote to memory of 396 308 0bb400582081d479bbf36c374b1b384a.exe o.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bb400582081d479bbf36c374b1b384a.exe"C:\Users\Admin\AppData\Local\Temp\0bb400582081d479bbf36c374b1b384a.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\o.exe"C:\Users\Admin\AppData\Local\Temp\o.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\o.exeMD5
f254515cdf3cf10e1555046493c5bee8
SHA14eee393ad747349fda88bf5690dbb60aa450eced
SHA25624be4bd66f7e47dee0a64925c1ceee243396c06d18c00fb16ce54204cb9b096e
SHA512c6e06be4c7b9150e99d1708b6b45153de4d850490274ea6672177bcbbdde676aed3a2a038dd14936b54b68bcc46f7fdc382db82a26b5776e9ca81d6dc14362b1
-
C:\Users\Admin\AppData\Local\Temp\o.exeMD5
f254515cdf3cf10e1555046493c5bee8
SHA14eee393ad747349fda88bf5690dbb60aa450eced
SHA25624be4bd66f7e47dee0a64925c1ceee243396c06d18c00fb16ce54204cb9b096e
SHA512c6e06be4c7b9150e99d1708b6b45153de4d850490274ea6672177bcbbdde676aed3a2a038dd14936b54b68bcc46f7fdc382db82a26b5776e9ca81d6dc14362b1
-
\Users\Admin\AppData\Local\Temp\o.exeMD5
f254515cdf3cf10e1555046493c5bee8
SHA14eee393ad747349fda88bf5690dbb60aa450eced
SHA25624be4bd66f7e47dee0a64925c1ceee243396c06d18c00fb16ce54204cb9b096e
SHA512c6e06be4c7b9150e99d1708b6b45153de4d850490274ea6672177bcbbdde676aed3a2a038dd14936b54b68bcc46f7fdc382db82a26b5776e9ca81d6dc14362b1
-
memory/308-6-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/308-12-0x0000000006514000-0x0000000006516000-memory.dmpFilesize
8KB
-
memory/308-7-0x0000000003E40000-0x0000000003E6C000-memory.dmpFilesize
176KB
-
memory/308-8-0x00000000064C0000-0x00000000064EA000-memory.dmpFilesize
168KB
-
memory/308-10-0x0000000006512000-0x0000000006513000-memory.dmpFilesize
4KB
-
memory/308-9-0x0000000006511000-0x0000000006512000-memory.dmpFilesize
4KB
-
memory/308-11-0x0000000006513000-0x0000000006514000-memory.dmpFilesize
4KB
-
memory/308-2-0x0000000003970000-0x0000000003981000-memory.dmpFilesize
68KB
-
memory/308-5-0x0000000003970000-0x00000000039A6000-memory.dmpFilesize
216KB
-
memory/308-4-0x0000000073FC0000-0x00000000746AE000-memory.dmpFilesize
6.9MB
-
memory/308-3-0x0000000003B90000-0x0000000003BA1000-memory.dmpFilesize
68KB
-
memory/396-14-0x0000000000000000-mapping.dmp
-
memory/396-18-0x0000000001D30000-0x0000000001D32000-memory.dmpFilesize
8KB
-
memory/396-17-0x000007FEF4EF0000-0x000007FEF588D000-memory.dmpFilesize
9.6MB
-
memory/396-19-0x000007FEF4EF0000-0x000007FEF588D000-memory.dmpFilesize
9.6MB
-
memory/396-20-0x0000000001D36000-0x0000000001D55000-memory.dmpFilesize
124KB