Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-05-2021 19:23
General
-
Target
Install_Plugin_x64_x86.exe
-
Size
1.1MB
-
MD5
ffe3cce3479bb06607d5056e6dbca530
-
SHA1
5aff7d6fd1aae0a2d66edf5692216749ba31658f
-
SHA256
079e85bcaa57b334fa9b3debe99c9f0402eb01104c9fdf3811e34e17308d64f0
-
SHA512
8b8efc3df750119418c2426f792b13d00b1afa2e05f0df18bcf1a1d90150a5f716fda785ba3752d8a2c9193b8bbd0d8d2c1debc71c027f1011c3378493e2d350
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
10
C2
86.107.197.200:40355
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Install_Plugin_x64_x86.exe"C:\Users\Admin\AppData\Local\Temp\Install_Plugin_x64_x86.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1872-125-0x000000000042B086-mapping.dmp
-
memory/1872-135-0x0000000005A20000-0x0000000005A21000-memory.dmpFilesize
4KB
-
memory/1872-134-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/1872-133-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/1872-132-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/1872-131-0x0000000005CA0000-0x0000000005CA1000-memory.dmpFilesize
4KB
-
memory/1872-130-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/1872-129-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/1872-128-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/1872-124-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4044-119-0x0000000005050000-0x000000000554E000-memory.dmpFilesize
5.0MB
-
memory/4044-123-0x000000000C120000-0x000000000C1A9000-memory.dmpFilesize
548KB
-
memory/4044-122-0x0000000009C60000-0x0000000009D23000-memory.dmpFilesize
780KB
-
memory/4044-121-0x0000000008420000-0x0000000008421000-memory.dmpFilesize
4KB
-
memory/4044-120-0x0000000006CF0000-0x0000000006CF5000-memory.dmpFilesize
20KB
-
memory/4044-114-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/4044-118-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/4044-117-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/4044-116-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB