Analysis
-
max time kernel
28s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 08:02
General
-
Target
a508db52daeb8b346612062b9080b301.exe
-
Size
371KB
-
MD5
a508db52daeb8b346612062b9080b301
-
SHA1
892023f25f110e41be76bb778bfe0ed36fe71145
-
SHA256
420b49fe0c671b7cad57dcdee0839d65c565c5e84a00c0470e5fe7380248d452
-
SHA512
69e56b26957c7a5e0af85bc16db2083675a2fdc35727ea6d099478fec8e0b3844da98d8ce92ef0ab5c219d58de8b725a007e6f9f0483e32c432f20951fe24c6d
Malware Config
Extracted
redline
atoms
176.96.238.188:20427
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a508db52daeb8b346612062b9080b301.exe"C:\Users\Admin\AppData\Local\Temp\a508db52daeb8b346612062b9080b301.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a508db52daeb8b346612062b9080b301.exeC:\Users\Admin\AppData\Local\Temp\a508db52daeb8b346612062b9080b301.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a508db52daeb8b346612062b9080b301.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
memory/192-129-0x00000000053F0000-0x00000000053F1000-memory.dmpFilesize
4KB
-
memory/192-120-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/192-126-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/192-136-0x00000000072D0000-0x00000000072D1000-memory.dmpFilesize
4KB
-
memory/192-127-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/192-121-0x000000000041884A-mapping.dmp
-
memory/192-124-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/192-128-0x0000000005080000-0x0000000005686000-memory.dmpFilesize
6.0MB
-
memory/192-133-0x0000000006950000-0x0000000006951000-memory.dmpFilesize
4KB
-
memory/192-131-0x0000000006DA0000-0x0000000006DA1000-memory.dmpFilesize
4KB
-
memory/192-125-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/192-130-0x00000000066A0000-0x00000000066A1000-memory.dmpFilesize
4KB
-
memory/804-114-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/804-117-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/804-118-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/804-119-0x00000000058E0000-0x00000000058E1000-memory.dmpFilesize
4KB
-
memory/804-116-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB