Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-02-2021 18:46
Static task
static1
Behavioral task
behavioral1
Sample
QDLF2602PDF.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
QDLF2602PDF.exe
Resource
win10v20201028
General
-
Target
QDLF2602PDF.exe
-
Size
607KB
-
MD5
ee83dba635f317e07779a4e2c92e454e
-
SHA1
6f6264eb838576951282ab6d40fa1b1053c6421d
-
SHA256
715a7e61152baeb46f1197fb49194205b2816902a1f630845f089f5ef57108fd
-
SHA512
85cf51905399c9094c6c6ae4e1f080670bae523f447a92e220889a8143dcc295831f499e210be343627661bce1a803efb3be4315d15b137ff51ae3e007d5b126
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/68-12-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral2/memory/68-13-0x0000000000421E02-mapping.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
QDLF2602PDF.exedescription pid process target process PID 4688 set thread context of 68 4688 QDLF2602PDF.exe QDLF2602PDF.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
QDLF2602PDF.exepid process 68 QDLF2602PDF.exe 68 QDLF2602PDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
QDLF2602PDF.exedescription pid process Token: SeDebugPrivilege 68 QDLF2602PDF.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
QDLF2602PDF.exedescription pid process target process PID 4688 wrote to memory of 68 4688 QDLF2602PDF.exe QDLF2602PDF.exe PID 4688 wrote to memory of 68 4688 QDLF2602PDF.exe QDLF2602PDF.exe PID 4688 wrote to memory of 68 4688 QDLF2602PDF.exe QDLF2602PDF.exe PID 4688 wrote to memory of 68 4688 QDLF2602PDF.exe QDLF2602PDF.exe PID 4688 wrote to memory of 68 4688 QDLF2602PDF.exe QDLF2602PDF.exe PID 4688 wrote to memory of 68 4688 QDLF2602PDF.exe QDLF2602PDF.exe PID 4688 wrote to memory of 68 4688 QDLF2602PDF.exe QDLF2602PDF.exe PID 4688 wrote to memory of 68 4688 QDLF2602PDF.exe QDLF2602PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QDLF2602PDF.exe"C:\Users\Admin\AppData\Local\Temp\QDLF2602PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\QDLF2602PDF.exe"C:\Users\Admin\AppData\Local\Temp\QDLF2602PDF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QDLF2602PDF.exe.logMD5
c3cc52ccca9ff2b6fa8d267fc350ca6b
SHA1a68d4028333296d222e4afd75dea36fdc98d05f3
SHA2563125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e
SHA512b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7
-
memory/68-23-0x0000000005980000-0x0000000005981000-memory.dmpFilesize
4KB
-
memory/68-22-0x0000000005920000-0x0000000005921000-memory.dmpFilesize
4KB
-
memory/68-30-0x0000000007180000-0x0000000007181000-memory.dmpFilesize
4KB
-
memory/68-15-0x0000000073430000-0x0000000073B1E000-memory.dmpFilesize
6.9MB
-
memory/68-26-0x0000000006EA0000-0x0000000006EA1000-memory.dmpFilesize
4KB
-
memory/68-25-0x0000000005C20000-0x0000000005C21000-memory.dmpFilesize
4KB
-
memory/68-24-0x00000000059C0000-0x00000000059C1000-memory.dmpFilesize
4KB
-
memory/68-21-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/68-12-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/68-13-0x0000000000421E02-mapping.dmp
-
memory/68-31-0x0000000007540000-0x0000000007541000-memory.dmpFilesize
4KB
-
memory/68-27-0x00000000075A0000-0x00000000075A1000-memory.dmpFilesize
4KB
-
memory/68-20-0x0000000005E80000-0x0000000005E81000-memory.dmpFilesize
4KB
-
memory/68-19-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/68-18-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/4688-11-0x0000000005830000-0x0000000005879000-memory.dmpFilesize
292KB
-
memory/4688-5-0x0000000005890000-0x0000000005891000-memory.dmpFilesize
4KB
-
memory/4688-2-0x0000000073430000-0x0000000073B1E000-memory.dmpFilesize
6.9MB
-
memory/4688-10-0x0000000005570000-0x0000000005573000-memory.dmpFilesize
12KB
-
memory/4688-9-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/4688-8-0x0000000005580000-0x0000000005581000-memory.dmpFilesize
4KB
-
memory/4688-7-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/4688-6-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/4688-3-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB