Analysis
-
max time kernel
22s -
max time network
68s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-07-2021 12:04
Static task
static1
Behavioral task
behavioral1
Sample
a61f6f94009c04607f1ba923adcaba0d.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
a61f6f94009c04607f1ba923adcaba0d.exe
Resource
win10v20210408
General
-
Target
a61f6f94009c04607f1ba923adcaba0d.exe
-
Size
796KB
-
MD5
a61f6f94009c04607f1ba923adcaba0d
-
SHA1
71b964ba1d7a6ddcebb9fadf29efba3f440c00af
-
SHA256
36022c868a49fc44968f6647239106f536b2cae40340ad69e3772f7be482daf7
-
SHA512
0d108e686fa33405b2deb127de0cb4ab60d9960d1af43ea4886496f8249c131da8a5a378b6f61b3d8e09179a295e2a7365b01d2db22d0fd916ce3190904a97dd
Malware Config
Extracted
redline
@bestiefFcs
37.46.128.72:29799
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3856-121-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral2/memory/3856-122-0x0000000000417E3E-mapping.dmp family_redline behavioral2/memory/3856-130-0x00000000055E0000-0x0000000005BE6000-memory.dmp family_redline -
Looks for VMWare Tools registry key 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
a61f6f94009c04607f1ba923adcaba0d.exedescription pid process target process PID 652 set thread context of 3856 652 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a61f6f94009c04607f1ba923adcaba0d.exepid process 3856 a61f6f94009c04607f1ba923adcaba0d.exe 3856 a61f6f94009c04607f1ba923adcaba0d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a61f6f94009c04607f1ba923adcaba0d.exedescription pid process Token: SeDebugPrivilege 3856 a61f6f94009c04607f1ba923adcaba0d.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a61f6f94009c04607f1ba923adcaba0d.exedescription pid process target process PID 652 wrote to memory of 3856 652 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe PID 652 wrote to memory of 3856 652 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe PID 652 wrote to memory of 3856 652 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe PID 652 wrote to memory of 3856 652 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe PID 652 wrote to memory of 3856 652 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe PID 652 wrote to memory of 3856 652 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe PID 652 wrote to memory of 3856 652 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe PID 652 wrote to memory of 3856 652 a61f6f94009c04607f1ba923adcaba0d.exe a61f6f94009c04607f1ba923adcaba0d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a61f6f94009c04607f1ba923adcaba0d.exe"C:\Users\Admin\AppData\Local\Temp\a61f6f94009c04607f1ba923adcaba0d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Users\Admin\AppData\Local\Temp\a61f6f94009c04607f1ba923adcaba0d.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a61f6f94009c04607f1ba923adcaba0d.exe.logMD5
eee751e7d08a15f861b3dbf7fe7e76fb
SHA1b54a0b5c94b8f199e296ff178f47f6501a901bae
SHA256edd33d14ad8796b7da96d4e0b464596b1740c9a356fa7e19abebe1fc30fdb580
SHA512743fe2b83df6cbd125d25c5f251f4a5d0d701751f14f66b650e3745dcb0fd14b5e7826fc2de32717afabc36770986ff0f2fcfb4864f968c9b5fa6857b8986113
-
memory/652-119-0x0000000000F20000-0x0000000000F23000-memory.dmpFilesize
12KB
-
memory/652-116-0x0000000007380000-0x0000000007481000-memory.dmpFilesize
1.0MB
-
memory/652-114-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/652-118-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/652-120-0x00000000077F0000-0x00000000077F1000-memory.dmpFilesize
4KB
-
memory/652-117-0x0000000007C10000-0x0000000007C11000-memory.dmpFilesize
4KB
-
memory/3856-121-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3856-122-0x0000000000417E3E-mapping.dmp
-
memory/3856-136-0x0000000006E80000-0x0000000006E81000-memory.dmpFilesize
4KB
-
memory/3856-128-0x0000000003200000-0x0000000003201000-memory.dmpFilesize
4KB
-
memory/3856-127-0x0000000003060000-0x0000000003061000-memory.dmpFilesize
4KB
-
memory/3856-129-0x0000000003240000-0x0000000003241000-memory.dmpFilesize
4KB
-
memory/3856-130-0x00000000055E0000-0x0000000005BE6000-memory.dmpFilesize
6.0MB
-
memory/3856-131-0x0000000005850000-0x0000000005851000-memory.dmpFilesize
4KB
-
memory/3856-132-0x0000000006A90000-0x0000000006A91000-memory.dmpFilesize
4KB
-
memory/3856-133-0x0000000007190000-0x0000000007191000-memory.dmpFilesize
4KB
-
memory/3856-134-0x0000000006A00000-0x0000000006A01000-memory.dmpFilesize
4KB
-
memory/3856-126-0x0000000005BF0000-0x0000000005BF1000-memory.dmpFilesize
4KB