Analysis
-
max time kernel
15s -
max time network
52s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 12:04
Static task
static1
Behavioral task
behavioral1
Sample
a61f6f94009c04607f1ba923adcaba0d.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
a61f6f94009c04607f1ba923adcaba0d.exe
Resource
win10v20210408
General
-
Target
a61f6f94009c04607f1ba923adcaba0d.exe
-
Size
796KB
-
MD5
a61f6f94009c04607f1ba923adcaba0d
-
SHA1
71b964ba1d7a6ddcebb9fadf29efba3f440c00af
-
SHA256
36022c868a49fc44968f6647239106f536b2cae40340ad69e3772f7be482daf7
-
SHA512
0d108e686fa33405b2deb127de0cb4ab60d9960d1af43ea4886496f8249c131da8a5a378b6f61b3d8e09179a295e2a7365b01d2db22d0fd916ce3190904a97dd
Malware Config
Extracted
redline
@bestiefFcs
37.46.128.72:29799
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1804-63-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1804-64-0x0000000000417E3E-mapping.dmp family_redline behavioral1/memory/1804-65-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Looks for VMWare Tools registry key 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
a61f6f94009c04607f1ba923adcaba0d.exedescription pid process target process PID 1180 set thread context of 1804 1180 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a61f6f94009c04607f1ba923adcaba0d.exepid process 1804 a61f6f94009c04607f1ba923adcaba0d.exe 1804 a61f6f94009c04607f1ba923adcaba0d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a61f6f94009c04607f1ba923adcaba0d.exedescription pid process Token: SeDebugPrivilege 1804 a61f6f94009c04607f1ba923adcaba0d.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a61f6f94009c04607f1ba923adcaba0d.exedescription pid process target process PID 1180 wrote to memory of 1804 1180 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe PID 1180 wrote to memory of 1804 1180 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe PID 1180 wrote to memory of 1804 1180 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe PID 1180 wrote to memory of 1804 1180 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe PID 1180 wrote to memory of 1804 1180 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe PID 1180 wrote to memory of 1804 1180 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe PID 1180 wrote to memory of 1804 1180 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe PID 1180 wrote to memory of 1804 1180 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe PID 1180 wrote to memory of 1804 1180 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a61f6f94009c04607f1ba923adcaba0d.exe"C:\Users\Admin\AppData\Local\Temp\a61f6f94009c04607f1ba923adcaba0d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\a61f6f94009c04607f1ba923adcaba0d.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1180-59-0x0000000000E00000-0x0000000000E01000-memory.dmpFilesize
4KB
-
memory/1180-61-0x00000000070D0000-0x00000000071D1000-memory.dmpFilesize
1.0MB
-
memory/1180-62-0x0000000000340000-0x0000000000343000-memory.dmpFilesize
12KB
-
memory/1180-67-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/1804-63-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1804-64-0x0000000000417E3E-mapping.dmp
-
memory/1804-65-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1804-68-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB