Analysis
-
max time kernel
38s -
max time network
38s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-04-2021 08:02
Static task
static1
Behavioral task
behavioral1
Sample
c06b71d7e3dc65653794fa2ff0759f2a.exe
Resource
win7v20210410
General
-
Target
c06b71d7e3dc65653794fa2ff0759f2a.exe
-
Size
427KB
-
MD5
c06b71d7e3dc65653794fa2ff0759f2a
-
SHA1
1de6518d879b92e741cb118b2aba46dc160808ca
-
SHA256
dfecf9c450e683be8d6f11c2bd18c6c636d51824f78e7fc6d3b6e30f7ce93a3d
-
SHA512
2471abf3f2d48fa05d28060159a613f0b2843c2349ca827d8f3c94e37b0fd5dac1f06b51cdf5482b414836df6276f80d7821815692378da5b3b2ca5b417c156c
Malware Config
Extracted
redline
04-16-cr1
drerink.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1476-64-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral1/memory/1476-66-0x000000000041628E-mapping.dmp family_redline behavioral1/memory/1476-67-0x0000000000400000-0x000000000041C000-memory.dmp family_redline -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/540-63-0x0000000000C40000-0x0000000000C4A000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
c06b71d7e3dc65653794fa2ff0759f2a.exedescription pid process target process PID 540 set thread context of 1476 540 c06b71d7e3dc65653794fa2ff0759f2a.exe c06b71d7e3dc65653794fa2ff0759f2a.exe PID 540 set thread context of 1476 540 c06b71d7e3dc65653794fa2ff0759f2a.exe c06b71d7e3dc65653794fa2ff0759f2a.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
c06b71d7e3dc65653794fa2ff0759f2a.exec06b71d7e3dc65653794fa2ff0759f2a.exepid process 540 c06b71d7e3dc65653794fa2ff0759f2a.exe 540 c06b71d7e3dc65653794fa2ff0759f2a.exe 1476 c06b71d7e3dc65653794fa2ff0759f2a.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c06b71d7e3dc65653794fa2ff0759f2a.exec06b71d7e3dc65653794fa2ff0759f2a.exedescription pid process Token: SeDebugPrivilege 540 c06b71d7e3dc65653794fa2ff0759f2a.exe Token: SeDebugPrivilege 1476 c06b71d7e3dc65653794fa2ff0759f2a.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
c06b71d7e3dc65653794fa2ff0759f2a.exedescription pid process target process PID 540 wrote to memory of 1396 540 c06b71d7e3dc65653794fa2ff0759f2a.exe c06b71d7e3dc65653794fa2ff0759f2a.exe PID 540 wrote to memory of 1396 540 c06b71d7e3dc65653794fa2ff0759f2a.exe c06b71d7e3dc65653794fa2ff0759f2a.exe PID 540 wrote to memory of 1396 540 c06b71d7e3dc65653794fa2ff0759f2a.exe c06b71d7e3dc65653794fa2ff0759f2a.exe PID 540 wrote to memory of 1396 540 c06b71d7e3dc65653794fa2ff0759f2a.exe c06b71d7e3dc65653794fa2ff0759f2a.exe PID 540 wrote to memory of 1476 540 c06b71d7e3dc65653794fa2ff0759f2a.exe c06b71d7e3dc65653794fa2ff0759f2a.exe PID 540 wrote to memory of 1476 540 c06b71d7e3dc65653794fa2ff0759f2a.exe c06b71d7e3dc65653794fa2ff0759f2a.exe PID 540 wrote to memory of 1476 540 c06b71d7e3dc65653794fa2ff0759f2a.exe c06b71d7e3dc65653794fa2ff0759f2a.exe PID 540 wrote to memory of 1476 540 c06b71d7e3dc65653794fa2ff0759f2a.exe c06b71d7e3dc65653794fa2ff0759f2a.exe PID 540 wrote to memory of 1476 540 c06b71d7e3dc65653794fa2ff0759f2a.exe c06b71d7e3dc65653794fa2ff0759f2a.exe PID 540 wrote to memory of 1476 540 c06b71d7e3dc65653794fa2ff0759f2a.exe c06b71d7e3dc65653794fa2ff0759f2a.exe PID 540 wrote to memory of 1476 540 c06b71d7e3dc65653794fa2ff0759f2a.exe c06b71d7e3dc65653794fa2ff0759f2a.exe PID 540 wrote to memory of 1476 540 c06b71d7e3dc65653794fa2ff0759f2a.exe c06b71d7e3dc65653794fa2ff0759f2a.exe PID 540 wrote to memory of 1476 540 c06b71d7e3dc65653794fa2ff0759f2a.exe c06b71d7e3dc65653794fa2ff0759f2a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c06b71d7e3dc65653794fa2ff0759f2a.exe"C:\Users\Admin\AppData\Local\Temp\c06b71d7e3dc65653794fa2ff0759f2a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c06b71d7e3dc65653794fa2ff0759f2a.exe"C:\Users\Admin\AppData\Local\Temp\c06b71d7e3dc65653794fa2ff0759f2a.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\c06b71d7e3dc65653794fa2ff0759f2a.exe"C:\Users\Admin\AppData\Local\Temp\c06b71d7e3dc65653794fa2ff0759f2a.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/540-60-0x0000000001320000-0x0000000001321000-memory.dmpFilesize
4KB
-
memory/540-62-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/540-63-0x0000000000C40000-0x0000000000C4A000-memory.dmpFilesize
40KB
-
memory/1476-64-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1476-66-0x000000000041628E-mapping.dmp
-
memory/1476-67-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1476-69-0x0000000000B80000-0x0000000000B81000-memory.dmpFilesize
4KB