Analysis
-
max time kernel
46s -
max time network
48s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-06-2021 14:45
Static task
static1
Behavioral task
behavioral1
Sample
5e51ff771292d383b9942ee310a0df1c.exe
Resource
win7v20210408
General
-
Target
5e51ff771292d383b9942ee310a0df1c.exe
-
Size
389KB
-
MD5
5e51ff771292d383b9942ee310a0df1c
-
SHA1
7bfc60c43aa71cb52ec9d09f59c1f28ae784658f
-
SHA256
532ad0ae1e8256d6a9bb94dae853f8cae2d497999070d4d1e26a39e046032548
-
SHA512
f972a31249ead48954055c5687371c441edf9786a03ee76c93b57c9f5e737d84f74a91f8dfb90a306ef5f388424c9436097e28edd41b5f8eb0fd1cf921176884
Malware Config
Extracted
redline
16.06
185.215.113.15:61506
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/1988-62-0x0000000004BE0000-0x0000000004BFA000-memory.dmp family_redline behavioral1/memory/1988-66-0x0000000004DE0000-0x0000000004DF9000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1988 5e51ff771292d383b9942ee310a0df1c.exe 1988 5e51ff771292d383b9942ee310a0df1c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1988 5e51ff771292d383b9942ee310a0df1c.exe