Analysis
-
max time kernel
26s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-02-2021 11:30
General
-
Target
C637.exe
-
Size
235KB
-
MD5
f350e12541835a5eee54cf0d5a5aa5f4
-
SHA1
68a33f9ceb9fce762638aea0349f5a8410968262
-
SHA256
4d788f0e1a3be7d6e706fcba03282ae62a0ab8df95014feb9f026bce5ddff089
-
SHA512
aa14ca6d6fac284330ede40c5998b33303da1556d83329e798a3e1ee7531920131816014b0550b98986aeef6f5ecfddb87092f9408dea28d314e7416711a7878
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\C637.exe"C:\Users\Admin\AppData\Local\Temp\C637.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/668-2-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/668-3-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/668-4-0x0000000000940000-0x0000000000977000-memory.dmpFilesize
220KB
-
memory/668-5-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/668-6-0x0000000072FB0000-0x000000007369E000-memory.dmpFilesize
6.9MB
-
memory/668-7-0x0000000002610000-0x000000000263E000-memory.dmpFilesize
184KB
-
memory/668-9-0x0000000004C72000-0x0000000004C73000-memory.dmpFilesize
4KB
-
memory/668-8-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/668-10-0x0000000004C73000-0x0000000004C74000-memory.dmpFilesize
4KB
-
memory/668-11-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/668-12-0x0000000004B90000-0x0000000004BBC000-memory.dmpFilesize
176KB
-
memory/668-13-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/668-14-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/668-15-0x0000000004C74000-0x0000000004C76000-memory.dmpFilesize
8KB
-
memory/668-16-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/668-17-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/668-18-0x00000000058C0000-0x00000000058C1000-memory.dmpFilesize
4KB
-
memory/668-19-0x0000000005A30000-0x0000000005A31000-memory.dmpFilesize
4KB
-
memory/668-20-0x0000000005BB0000-0x0000000005BB1000-memory.dmpFilesize
4KB
-
memory/668-21-0x0000000006780000-0x0000000006781000-memory.dmpFilesize
4KB
-
memory/668-22-0x0000000006960000-0x0000000006961000-memory.dmpFilesize
4KB
-
memory/668-23-0x0000000006FA0000-0x0000000006FA1000-memory.dmpFilesize
4KB
-
memory/668-24-0x0000000007050000-0x0000000007051000-memory.dmpFilesize
4KB
-
memory/668-25-0x0000000008440000-0x0000000008441000-memory.dmpFilesize
4KB