Overview

overview

10

Static

static

10

1d0ea562_e...ed.exe

windows7_x64

10

1d0ea562_e...ed.exe

windows10_x64

10

Analysis

  • max time kernel
    13s
  • max time network
    105s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-03-2021 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d0ea562_extracted.exe

  • Size

    154KB

  • MD5

    b695766dd97d30b93e078d2a35041e67

  • SHA1

    d313d986245fb9953a929e8ff3dbfa4e777e66fd

  • SHA256

    49ddb5fcbdd0c23718e0bd08ea3f2e4d138271867718315d650008083be1c05a

  • SHA512

    aef2596d21e8ef3e517a1efabb785143f03b6f1db91e87653d532012b0c37aa77e366ea6adbeb654dee69b59cacc7f7fb7810fa998ebf626f6fa2ec78f58ca74

Score
10/10
redlineinfostealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d0ea562_extracted.exe
    "C:\Users\Admin\AppData\Local\Temp\1d0ea562_extracted.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C taskkill /F /PID 1176 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1d0ea562_extracted.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:892
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /PID 1176
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1056
      • C:\Windows\SysWOW64\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:196

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/196-13-0x0000000000000000-mapping.dmp
      Download
    • memory/892-11-0x0000000000000000-mapping.dmp
      Download
    • memory/1056-12-0x0000000000000000-mapping.dmp
      Download
    • memory/1176-2-0x0000000073A70000-0x000000007415E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1176-3-0x00000000004E0000-0x00000000004E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1176-5-0x0000000005460000-0x0000000005461000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1176-6-0x0000000004D10000-0x0000000004D11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1176-7-0x0000000004D70000-0x0000000004D71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1176-8-0x0000000004E40000-0x0000000004E41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1176-9-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1176-10-0x0000000005010000-0x0000000005011000-memory.dmp
      Filesize

      4KB

      Download