Overview

overview

10

Static

static

c06b71d7e3...2a.exe

windows7_x64

10

c06b71d7e3...2a.exe

windows10_x64

10

Analysis

  • max time kernel
    38s
  • max time network
    38s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-04-2021 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c06b71d7e3dc65653794fa2ff0759f2a.exe

  • Size

    427KB

  • MD5

    c06b71d7e3dc65653794fa2ff0759f2a

  • SHA1

    1de6518d879b92e741cb118b2aba46dc160808ca

  • SHA256

    dfecf9c450e683be8d6f11c2bd18c6c636d51824f78e7fc6d3b6e30f7ce93a3d

  • SHA512

    2471abf3f2d48fa05d28060159a613f0b2843c2349ca827d8f3c94e37b0fd5dac1f06b51cdf5482b414836df6276f80d7821815692378da5b3b2ca5b417c156c

Score
10/10
redline04-16-cr1agilenetdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

04-16-cr1

C2

drerink.xyz:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c06b71d7e3dc65653794fa2ff0759f2a.exe
    "C:\Users\Admin\AppData\Local\Temp\c06b71d7e3dc65653794fa2ff0759f2a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Users\Admin\AppData\Local\Temp\c06b71d7e3dc65653794fa2ff0759f2a.exe
      "C:\Users\Admin\AppData\Local\Temp\c06b71d7e3dc65653794fa2ff0759f2a.exe"
      2⤵
        PID:1396
      • C:\Users\Admin\AppData\Local\Temp\c06b71d7e3dc65653794fa2ff0759f2a.exe
        "C:\Users\Admin\AppData\Local\Temp\c06b71d7e3dc65653794fa2ff0759f2a.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1476

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/540-60-0x0000000001320000-0x0000000001321000-memory.dmp
      Filesize

      4KB

      Download
    • memory/540-62-0x0000000004A20000-0x0000000004A21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/540-63-0x0000000000C40000-0x0000000000C4A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1476-64-0x0000000000400000-0x000000000041C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/1476-66-0x000000000041628E-mapping.dmp
      Download
    • memory/1476-67-0x0000000000400000-0x000000000041C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/1476-69-0x0000000000B80000-0x0000000000B81000-memory.dmp
      Filesize

      4KB

      Download