Analysis
-
max time kernel
44s -
max time network
74s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-06-2021 16:51
Static task
static1
Behavioral task
behavioral1
Sample
987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe
Resource
win10v20210408
General
-
Target
987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe
-
Size
359KB
-
MD5
85c85b73c8cd6890d30fec1afa642311
-
SHA1
4bd515ec57e56e3be543d5a98fcecfb446113d52
-
SHA256
987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8829d6d537660b7f2826
-
SHA512
9c6f3289b29e57b58ed323df94e74acc4e25247568c6dce045391c4150d6a3ac653299ad07e25609f7a0314546f15f3513f6d8089f949736a121d14409dc09a1
Malware Config
Extracted
redline
185.215.113.50:43919
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1380-62-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1380-63-0x0000000000417E26-mapping.dmp family_redline behavioral1/memory/1380-64-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exedescription pid Process procid_target PID 1724 set thread context of 1380 1724 987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe 27 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exepid Process 1380 987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe 1380 987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exedescription pid Process Token: SeDebugPrivilege 1380 987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exedescription pid Process procid_target PID 1724 wrote to memory of 1380 1724 987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe 27 PID 1724 wrote to memory of 1380 1724 987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe 27 PID 1724 wrote to memory of 1380 1724 987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe 27 PID 1724 wrote to memory of 1380 1724 987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe 27 PID 1724 wrote to memory of 1380 1724 987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe 27 PID 1724 wrote to memory of 1380 1724 987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe 27 PID 1724 wrote to memory of 1380 1724 987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe 27 PID 1724 wrote to memory of 1380 1724 987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe 27 PID 1724 wrote to memory of 1380 1724 987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe"C:\Users\Admin\AppData\Local\Temp\987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exeC:\Users\Admin\AppData\Local\Temp\987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
-