Overview

overview

10

Static

static

24dc9485b3...03.exe

windows7_x64

10

24dc9485b3...03.exe

windows10_x64

10

Analysis

  • max time kernel
    31s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    20-05-2021 09:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24dc9485b3fcea21dc81118d045d6bd13ca40f04dcc905662b70f4ed5754f003.exe

Score
10/10
redlinekreatordiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

KREATOR

C2

45.140.146.214:20498

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24dc9485b3fcea21dc81118d045d6bd13ca40f04dcc905662b70f4ed5754f003.exe
    "C:\Users\Admin\AppData\Local\Temp\24dc9485b3fcea21dc81118d045d6bd13ca40f04dcc905662b70f4ed5754f003.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Users\Admin\AppData\Local\Temp\24dc9485b3fcea21dc81118d045d6bd13ca40f04dcc905662b70f4ed5754f003.exe
      C:\Users\Admin\AppData\Local\Temp\24dc9485b3fcea21dc81118d045d6bd13ca40f04dcc905662b70f4ed5754f003.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\24dc9485b3fcea21dc81118d045d6bd13ca40f04dcc905662b70f4ed5754f003.exe.log
    MD5

    dd2ef82aadbe27e14a4559963b20a922

    SHA1

    26c25ef041c754f57adfcf6adb771afe846c283f

    SHA256

    a95abf66cbf5798298bee76416093cc5a415901a286cbd9cec22ef371e183f88

    SHA512

    b99345fd554ba284d40a403611253ba9c3f1fa497430db82b59c277f06c1c3f177f5f24af7b455e73483e92a08e7a9292aba96533630e30a10d8543f61db9f4e

    Download Submit
  • memory/2120-132-0x0000000005560000-0x0000000005B66000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2120-131-0x00000000056C0000-0x00000000056C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2120-124-0x000000000041638E-mapping.dmp
    Download
  • memory/2120-137-0x0000000007990000-0x0000000007991000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2120-136-0x0000000007290000-0x0000000007291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2120-133-0x00000000059B0000-0x00000000059B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2120-130-0x0000000005680000-0x0000000005681000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2120-123-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2120-128-0x0000000005B70000-0x0000000005B71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2120-138-0x0000000007170000-0x0000000007171000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2120-129-0x0000000005620000-0x0000000005621000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3904-118-0x0000000005920000-0x0000000005921000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3904-122-0x0000000005A20000-0x0000000005A27000-memory.dmp
    Filesize

    28KB

    Download
  • memory/3904-117-0x0000000005820000-0x0000000005821000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3904-114-0x0000000000E90000-0x0000000000E91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3904-121-0x0000000005CF0000-0x0000000005CF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3904-120-0x0000000005920000-0x0000000005E1E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3904-119-0x0000000003430000-0x0000000003431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3904-116-0x0000000005E20000-0x0000000005E21000-memory.dmp
    Filesize

    4KB

    Download