Analysis
-
max time kernel
17s -
max time network
99s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-02-2021 09:31
Static task
static1
Behavioral task
behavioral1
Sample
0bb400582081d479bbf36c374b1b384a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0bb400582081d479bbf36c374b1b384a.exe
Resource
win10v20201028
General
-
Target
0bb400582081d479bbf36c374b1b384a.exe
-
Size
338KB
-
MD5
0bb400582081d479bbf36c374b1b384a
-
SHA1
9a55d9786f73e1c4a81de9c965527717d169a29d
-
SHA256
f4c347b4a344291c7e62fc77734b3e403358723874f7460ea4e2a6f2c3659b48
-
SHA512
54c2035aa64df182c020b8e283ab6cd50988d4686c0889abee28ca03235d98bc2875151b7550d0c978839046d7841825dafb38509891a17beb7a733512d90508
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1232-8-0x0000000004240000-0x000000000426C000-memory.dmp family_redline behavioral2/memory/1232-10-0x0000000004490000-0x00000000044BA000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0bb400582081d479bbf36c374b1b384a.exepid process 1232 0bb400582081d479bbf36c374b1b384a.exe 1232 0bb400582081d479bbf36c374b1b384a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0bb400582081d479bbf36c374b1b384a.exedescription pid process Token: SeDebugPrivilege 1232 0bb400582081d479bbf36c374b1b384a.exe