Analysis
-
max time kernel
7s -
max time network
167s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-07-2021 20:57
Static task
static1
Behavioral task
behavioral1
Sample
7ED02CA6683BAE4874C4C904866F2E96.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
7ED02CA6683BAE4874C4C904866F2E96.exe
Resource
win10v20210410
General
-
Target
7ED02CA6683BAE4874C4C904866F2E96.exe
-
Size
1.1MB
-
MD5
7ed02ca6683bae4874c4c904866f2e96
-
SHA1
b3ab594e008a7507a3b5b103de156c27e1ecdbbe
-
SHA256
926d1980fcca74794210a126faebacadeeb1b81a328f1d382531945b703f8aae
-
SHA512
799a8a8bdc3b7bdf8e9ad11cc0f8d6b773d97fdd2a763f70acdf514179d446f87017394c2c2b1483e80a06d0e5a0d502d8acd34be40d073b4b81ad62407b1e98
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 checkip.amazonaws.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
7ED02CA6683BAE4874C4C904866F2E96.exepid process 1180 7ED02CA6683BAE4874C4C904866F2E96.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1636 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7ED02CA6683BAE4874C4C904866F2E96.exepid process 1180 7ED02CA6683BAE4874C4C904866F2E96.exe 1180 7ED02CA6683BAE4874C4C904866F2E96.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7ED02CA6683BAE4874C4C904866F2E96.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1180 7ED02CA6683BAE4874C4C904866F2E96.exe Token: SeDebugPrivilege 1636 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
7ED02CA6683BAE4874C4C904866F2E96.exepid process 1180 7ED02CA6683BAE4874C4C904866F2E96.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7ED02CA6683BAE4874C4C904866F2E96.execmd.exedescription pid process target process PID 1180 wrote to memory of 1508 1180 7ED02CA6683BAE4874C4C904866F2E96.exe cmd.exe PID 1180 wrote to memory of 1508 1180 7ED02CA6683BAE4874C4C904866F2E96.exe cmd.exe PID 1180 wrote to memory of 1508 1180 7ED02CA6683BAE4874C4C904866F2E96.exe cmd.exe PID 1180 wrote to memory of 1508 1180 7ED02CA6683BAE4874C4C904866F2E96.exe cmd.exe PID 1508 wrote to memory of 1636 1508 cmd.exe taskkill.exe PID 1508 wrote to memory of 1636 1508 cmd.exe taskkill.exe PID 1508 wrote to memory of 1636 1508 cmd.exe taskkill.exe PID 1508 wrote to memory of 1636 1508 cmd.exe taskkill.exe PID 1508 wrote to memory of 808 1508 cmd.exe choice.exe PID 1508 wrote to memory of 808 1508 cmd.exe choice.exe PID 1508 wrote to memory of 808 1508 cmd.exe choice.exe PID 1508 wrote to memory of 808 1508 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ED02CA6683BAE4874C4C904866F2E96.exe"C:\Users\Admin\AppData\Local\Temp\7ED02CA6683BAE4874C4C904866F2E96.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 1180 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\7ED02CA6683BAE4874C4C904866F2E96.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 11803⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵PID:808
-
-