Analysis

  • max time kernel
    118s
  • max time network
    166s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    20-07-2021 12:49

General

  • Target

    Zz7RR7rXlZGNlYe2MPaS__R2.exe

  • Size

    364KB

  • MD5

    feae24e878230fff4bad62996c1d0325

  • SHA1

    1191311e26f9909341da8982934863dfa3089992

  • SHA256

    0afeecacdddfdd9a9609abba82f70ccfd06d668536b09220c34e807e5f3b8557

  • SHA512

    0ae2dd7e3c95dbfe425eeb22e7ba4b0688f06df026513bac786fe9f60868594a316333f646128188e8b911c6682e7603670ee20673a9f8f320a2626ba7fe7575

Malware Config

Extracted

Family

redline

Botnet

sel17

C2

dwarimlari.xyz:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 3 IoCs
  • redlinestealer 3 IoCs

    RedlineStealer.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Zz7RR7rXlZGNlYe2MPaS__R2.exe
    "C:\Users\Admin\AppData\Local\Temp\Zz7RR7rXlZGNlYe2MPaS__R2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Local\Temp\Zz7RR7rXlZGNlYe2MPaS__R2.exe
      C:\Users\Admin\AppData\Local\Temp\Zz7RR7rXlZGNlYe2MPaS__R2.exe
      2⤵
        PID:2008
      • C:\Users\Admin\AppData\Local\Temp\Zz7RR7rXlZGNlYe2MPaS__R2.exe
        C:\Users\Admin\AppData\Local\Temp\Zz7RR7rXlZGNlYe2MPaS__R2.exe
        2⤵
          PID:752
        • C:\Users\Admin\AppData\Local\Temp\Zz7RR7rXlZGNlYe2MPaS__R2.exe
          C:\Users\Admin\AppData\Local\Temp\Zz7RR7rXlZGNlYe2MPaS__R2.exe
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:380

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      1
      T1012

      Collection

      Data from Local System

      2
      T1005

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/380-63-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

      • memory/380-64-0x0000000000417DEA-mapping.dmp
      • memory/380-65-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

      • memory/380-67-0x0000000004D10000-0x0000000004D11000-memory.dmp
        Filesize

        4KB

      • memory/2016-60-0x00000000001C0000-0x00000000001C1000-memory.dmp
        Filesize

        4KB

      • memory/2016-62-0x00000000041D0000-0x00000000041D1000-memory.dmp
        Filesize

        4KB