Overview

overview

10

Static

static

24dc9485b3...03.exe

windows7_x64

10

24dc9485b3...03.exe

windows10_x64

10

Analysis

  • max time kernel
    31s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    20-05-2021 09:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24dc9485b3fcea21dc81118d045d6bd13ca40f04dcc905662b70f4ed5754f003.exe

Score
10/10
redlinekreatordiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

KREATOR

C2

45.140.146.214:20498

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24dc9485b3fcea21dc81118d045d6bd13ca40f04dcc905662b70f4ed5754f003.exe
    "C:\Users\Admin\AppData\Local\Temp\24dc9485b3fcea21dc81118d045d6bd13ca40f04dcc905662b70f4ed5754f003.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Users\Admin\AppData\Local\Temp\24dc9485b3fcea21dc81118d045d6bd13ca40f04dcc905662b70f4ed5754f003.exe
      C:\Users\Admin\AppData\Local\Temp\24dc9485b3fcea21dc81118d045d6bd13ca40f04dcc905662b70f4ed5754f003.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2120

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2120-132-0x0000000005560000-0x0000000005B66000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2120-131-0x00000000056C0000-0x00000000056C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2120-137-0x0000000007990000-0x0000000007991000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2120-136-0x0000000007290000-0x0000000007291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2120-133-0x00000000059B0000-0x00000000059B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2120-130-0x0000000005680000-0x0000000005681000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2120-123-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2120-128-0x0000000005B70000-0x0000000005B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2120-138-0x0000000007170000-0x0000000007171000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2120-129-0x0000000005620000-0x0000000005621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3904-118-0x0000000005920000-0x0000000005921000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3904-122-0x0000000005A20000-0x0000000005A27000-memory.dmp

    Filesize

    28KB

    Download

  • memory/3904-117-0x0000000005820000-0x0000000005821000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3904-114-0x0000000000E90000-0x0000000000E91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3904-121-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3904-120-0x0000000005920000-0x0000000005E1E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3904-119-0x0000000003430000-0x0000000003431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3904-116-0x0000000005E20000-0x0000000005E21000-memory.dmp

    Filesize

    4KB

    Download