Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-03-2021 19:34
Static task
static1
Behavioral task
behavioral1
Sample
ec8b389edf6738f9b561418f4b0b0d9c.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ec8b389edf6738f9b561418f4b0b0d9c.exe
Resource
win10v20201028
General
-
Target
ec8b389edf6738f9b561418f4b0b0d9c.exe
-
Size
159KB
-
MD5
ec8b389edf6738f9b561418f4b0b0d9c
-
SHA1
b0047154ae3e3626ca02a54ee315fdec7a1656b7
-
SHA256
14ed09b6cec2b4465de883ce16001c309436f916fb1d3b84d41f84e39f4712ed
-
SHA512
f75d26c333fb14d06a0537e2a5adb023d71d91724f75795c795e916f8b5a7fa2050204febe361c54245462c633a15badbf886b9e30bf3e2e337e3b9338480029
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/848-10-0x0000000000400000-0x0000000000426000-memory.dmp family_redline behavioral1/memory/848-11-0x000000000041EFD2-mapping.dmp family_redline behavioral1/memory/848-13-0x0000000000400000-0x0000000000426000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ec8b389edf6738f9b561418f4b0b0d9c.exedescription pid process target process PID 1096 set thread context of 848 1096 ec8b389edf6738f9b561418f4b0b0d9c.exe AddInProcess32.exe -
Processes:
ec8b389edf6738f9b561418f4b0b0d9c.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 ec8b389edf6738f9b561418f4b0b0d9c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 ec8b389edf6738f9b561418f4b0b0d9c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ec8b389edf6738f9b561418f4b0b0d9c.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 1096 ec8b389edf6738f9b561418f4b0b0d9c.exe Token: SeDebugPrivilege 848 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ec8b389edf6738f9b561418f4b0b0d9c.exedescription pid process target process PID 1096 wrote to memory of 848 1096 ec8b389edf6738f9b561418f4b0b0d9c.exe AddInProcess32.exe PID 1096 wrote to memory of 848 1096 ec8b389edf6738f9b561418f4b0b0d9c.exe AddInProcess32.exe PID 1096 wrote to memory of 848 1096 ec8b389edf6738f9b561418f4b0b0d9c.exe AddInProcess32.exe PID 1096 wrote to memory of 848 1096 ec8b389edf6738f9b561418f4b0b0d9c.exe AddInProcess32.exe PID 1096 wrote to memory of 848 1096 ec8b389edf6738f9b561418f4b0b0d9c.exe AddInProcess32.exe PID 1096 wrote to memory of 848 1096 ec8b389edf6738f9b561418f4b0b0d9c.exe AddInProcess32.exe PID 1096 wrote to memory of 848 1096 ec8b389edf6738f9b561418f4b0b0d9c.exe AddInProcess32.exe PID 1096 wrote to memory of 848 1096 ec8b389edf6738f9b561418f4b0b0d9c.exe AddInProcess32.exe PID 1096 wrote to memory of 848 1096 ec8b389edf6738f9b561418f4b0b0d9c.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec8b389edf6738f9b561418f4b0b0d9c.exe"C:\Users\Admin\AppData\Local\Temp\ec8b389edf6738f9b561418f4b0b0d9c.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/848-10-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/848-15-0x0000000000810000-0x0000000000811000-memory.dmpFilesize
4KB
-
memory/848-13-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/848-12-0x0000000074500000-0x0000000074BEE000-memory.dmpFilesize
6.9MB
-
memory/848-11-0x000000000041EFD2-mapping.dmp
-
memory/1096-6-0x00000000047C2000-0x00000000047C3000-memory.dmpFilesize
4KB
-
memory/1096-8-0x0000000002020000-0x000000000202C000-memory.dmpFilesize
48KB
-
memory/1096-9-0x00000000047C4000-0x00000000047C6000-memory.dmpFilesize
8KB
-
memory/1096-7-0x00000000047C3000-0x00000000047C4000-memory.dmpFilesize
4KB
-
memory/1096-5-0x00000000047C1000-0x00000000047C2000-memory.dmpFilesize
4KB
-
memory/1096-2-0x0000000001D80000-0x0000000001D91000-memory.dmpFilesize
68KB
-
memory/1096-4-0x0000000001D30000-0x0000000001D3D000-memory.dmpFilesize
52KB
-
memory/1096-3-0x0000000074500000-0x0000000074BEE000-memory.dmpFilesize
6.9MB