Analysis
-
max time kernel
123s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 18:46
Static task
static1
Behavioral task
behavioral1
Sample
QDLF2602PDF.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
QDLF2602PDF.exe
Resource
win10v20201028
General
-
Target
QDLF2602PDF.exe
-
Size
607KB
-
MD5
ee83dba635f317e07779a4e2c92e454e
-
SHA1
6f6264eb838576951282ab6d40fa1b1053c6421d
-
SHA256
715a7e61152baeb46f1197fb49194205b2816902a1f630845f089f5ef57108fd
-
SHA512
85cf51905399c9094c6c6ae4e1f080670bae523f447a92e220889a8143dcc295831f499e210be343627661bce1a803efb3be4315d15b137ff51ae3e007d5b126
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1900-8-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1900-9-0x0000000000421E02-mapping.dmp family_redline behavioral1/memory/1900-11-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
QDLF2602PDF.exedescription pid process target process PID 2008 set thread context of 1900 2008 QDLF2602PDF.exe QDLF2602PDF.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
QDLF2602PDF.exepid process 1900 QDLF2602PDF.exe 1900 QDLF2602PDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
QDLF2602PDF.exedescription pid process Token: SeDebugPrivilege 1900 QDLF2602PDF.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
QDLF2602PDF.exedescription pid process target process PID 2008 wrote to memory of 1900 2008 QDLF2602PDF.exe QDLF2602PDF.exe PID 2008 wrote to memory of 1900 2008 QDLF2602PDF.exe QDLF2602PDF.exe PID 2008 wrote to memory of 1900 2008 QDLF2602PDF.exe QDLF2602PDF.exe PID 2008 wrote to memory of 1900 2008 QDLF2602PDF.exe QDLF2602PDF.exe PID 2008 wrote to memory of 1900 2008 QDLF2602PDF.exe QDLF2602PDF.exe PID 2008 wrote to memory of 1900 2008 QDLF2602PDF.exe QDLF2602PDF.exe PID 2008 wrote to memory of 1900 2008 QDLF2602PDF.exe QDLF2602PDF.exe PID 2008 wrote to memory of 1900 2008 QDLF2602PDF.exe QDLF2602PDF.exe PID 2008 wrote to memory of 1900 2008 QDLF2602PDF.exe QDLF2602PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QDLF2602PDF.exe"C:\Users\Admin\AppData\Local\Temp\QDLF2602PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\QDLF2602PDF.exe"C:\Users\Admin\AppData\Local\Temp\QDLF2602PDF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1900-8-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1900-9-0x0000000000421E02-mapping.dmp
-
memory/1900-10-0x0000000073AF0000-0x00000000741DE000-memory.dmpFilesize
6.9MB
-
memory/1900-11-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1900-13-0x0000000001250000-0x0000000001251000-memory.dmpFilesize
4KB
-
memory/2008-2-0x0000000073AF0000-0x00000000741DE000-memory.dmpFilesize
6.9MB
-
memory/2008-3-0x00000000013C0000-0x00000000013C1000-memory.dmpFilesize
4KB
-
memory/2008-5-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/2008-6-0x0000000000510000-0x0000000000513000-memory.dmpFilesize
12KB
-
memory/2008-7-0x0000000004F30000-0x0000000004F79000-memory.dmpFilesize
292KB