Overview

overview

10

Static

static

QDLF2602PDF.exe

windows7_x64

10

QDLF2602PDF.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    26-02-2021 18:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QDLF2602PDF.exe

  • Size

    607KB

  • MD5

    ee83dba635f317e07779a4e2c92e454e

  • SHA1

    6f6264eb838576951282ab6d40fa1b1053c6421d

  • SHA256

    715a7e61152baeb46f1197fb49194205b2816902a1f630845f089f5ef57108fd

  • SHA512

    85cf51905399c9094c6c6ae4e1f080670bae523f447a92e220889a8143dcc295831f499e210be343627661bce1a803efb3be4315d15b137ff51ae3e007d5b126

Score
10/10
redlinediscoveryinfostealerspyware

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QDLF2602PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\QDLF2602PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Users\Admin\AppData\Local\Temp\QDLF2602PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\QDLF2602PDF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:68

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QDLF2602PDF.exe.log
    MD5

    c3cc52ccca9ff2b6fa8d267fc350ca6b

    SHA1

    a68d4028333296d222e4afd75dea36fdc98d05f3

    SHA256

    3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e

    SHA512

    b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7

    Download Submit
  • memory/68-23-0x0000000005980000-0x0000000005981000-memory.dmp
    Filesize

    4KB

    Download
  • memory/68-22-0x0000000005920000-0x0000000005921000-memory.dmp
    Filesize

    4KB

    Download
  • memory/68-30-0x0000000007180000-0x0000000007181000-memory.dmp
    Filesize

    4KB

    Download
  • memory/68-15-0x0000000073430000-0x0000000073B1E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/68-26-0x0000000006EA0000-0x0000000006EA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/68-25-0x0000000005C20000-0x0000000005C21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/68-24-0x00000000059C0000-0x00000000059C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/68-21-0x0000000005780000-0x0000000005781000-memory.dmp
    Filesize

    4KB

    Download
  • memory/68-12-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/68-13-0x0000000000421E02-mapping.dmp
    Download
  • memory/68-31-0x0000000007540000-0x0000000007541000-memory.dmp
    Filesize

    4KB

    Download
  • memory/68-27-0x00000000075A0000-0x00000000075A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/68-20-0x0000000005E80000-0x0000000005E81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/68-19-0x00000000057C0000-0x00000000057C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/68-18-0x00000000057F0000-0x00000000057F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4688-11-0x0000000005830000-0x0000000005879000-memory.dmp
    Filesize

    292KB

    Download
  • memory/4688-5-0x0000000005890000-0x0000000005891000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4688-2-0x0000000073430000-0x0000000073B1E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4688-10-0x0000000005570000-0x0000000005573000-memory.dmp
    Filesize

    12KB

    Download
  • memory/4688-9-0x0000000005220000-0x0000000005221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4688-8-0x0000000005580000-0x0000000005581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4688-7-0x0000000005390000-0x0000000005391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4688-6-0x00000000052B0000-0x00000000052B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4688-3-0x0000000000970000-0x0000000000971000-memory.dmp
    Filesize

    4KB

    Download