Analysis
-
max time kernel
21s -
max time network
68s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 03:21
Static task
static1
Behavioral task
behavioral1
Sample
704DF199EB1B0154A645C60364A8A28C.exe
Resource
win7v20210410
General
-
Target
704DF199EB1B0154A645C60364A8A28C.exe
-
Size
943KB
-
MD5
704df199eb1b0154a645c60364a8a28c
-
SHA1
5810a3118f77af1e9b2ea0c0a658244a1b6d2de6
-
SHA256
7a875017c121897c46818f9388f3c8cad4ac574a3b217c1a056f74b333f138c6
-
SHA512
70b3eccce060dc43bac69f4aaacf646d64d96314edd4bb2e45543d41bd5fa0546e314420f1ec6fee33fb7ecf48284b415a4de864c681aaec817fcd3db535c53e
Malware Config
Extracted
redline
Game#2
185.170.213.254:56663
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3204-121-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral2/memory/3204-122-0x0000000000417DFE-mapping.dmp family_redline behavioral2/memory/3204-130-0x00000000056A0000-0x0000000005CA6000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
704DF199EB1B0154A645C60364A8A28C.exedescription pid process target process PID 652 set thread context of 3204 652 704DF199EB1B0154A645C60364A8A28C.exe 704DF199EB1B0154A645C60364A8A28C.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
704DF199EB1B0154A645C60364A8A28C.exepid process 3204 704DF199EB1B0154A645C60364A8A28C.exe 3204 704DF199EB1B0154A645C60364A8A28C.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
704DF199EB1B0154A645C60364A8A28C.exedescription pid process Token: SeDebugPrivilege 3204 704DF199EB1B0154A645C60364A8A28C.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
704DF199EB1B0154A645C60364A8A28C.exedescription pid process target process PID 652 wrote to memory of 3204 652 704DF199EB1B0154A645C60364A8A28C.exe 704DF199EB1B0154A645C60364A8A28C.exe PID 652 wrote to memory of 3204 652 704DF199EB1B0154A645C60364A8A28C.exe 704DF199EB1B0154A645C60364A8A28C.exe PID 652 wrote to memory of 3204 652 704DF199EB1B0154A645C60364A8A28C.exe 704DF199EB1B0154A645C60364A8A28C.exe PID 652 wrote to memory of 3204 652 704DF199EB1B0154A645C60364A8A28C.exe 704DF199EB1B0154A645C60364A8A28C.exe PID 652 wrote to memory of 3204 652 704DF199EB1B0154A645C60364A8A28C.exe 704DF199EB1B0154A645C60364A8A28C.exe PID 652 wrote to memory of 3204 652 704DF199EB1B0154A645C60364A8A28C.exe 704DF199EB1B0154A645C60364A8A28C.exe PID 652 wrote to memory of 3204 652 704DF199EB1B0154A645C60364A8A28C.exe 704DF199EB1B0154A645C60364A8A28C.exe PID 652 wrote to memory of 3204 652 704DF199EB1B0154A645C60364A8A28C.exe 704DF199EB1B0154A645C60364A8A28C.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\704DF199EB1B0154A645C60364A8A28C.exe"C:\Users\Admin\AppData\Local\Temp\704DF199EB1B0154A645C60364A8A28C.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\704DF199EB1B0154A645C60364A8A28C.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\704DF199EB1B0154A645C60364A8A28C.exe.logMD5
eee751e7d08a15f861b3dbf7fe7e76fb
SHA1b54a0b5c94b8f199e296ff178f47f6501a901bae
SHA256edd33d14ad8796b7da96d4e0b464596b1740c9a356fa7e19abebe1fc30fdb580
SHA512743fe2b83df6cbd125d25c5f251f4a5d0d701751f14f66b650e3745dcb0fd14b5e7826fc2de32717afabc36770986ff0f2fcfb4864f968c9b5fa6857b8986113
-
memory/652-119-0x0000000000F00000-0x0000000000F03000-memory.dmpFilesize
12KB
-
memory/652-116-0x00000000074A0000-0x0000000007632000-memory.dmpFilesize
1.6MB
-
memory/652-114-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/652-118-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/652-120-0x00000000078E0000-0x00000000078E1000-memory.dmpFilesize
4KB
-
memory/652-117-0x0000000007D40000-0x0000000007D41000-memory.dmpFilesize
4KB
-
memory/3204-121-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3204-122-0x0000000000417DFE-mapping.dmp
-
memory/3204-136-0x00000000071E0000-0x00000000071E1000-memory.dmpFilesize
4KB
-
memory/3204-128-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/3204-127-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/3204-129-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/3204-130-0x00000000056A0000-0x0000000005CA6000-memory.dmpFilesize
6.0MB
-
memory/3204-131-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/3204-132-0x0000000006CA0000-0x0000000006CA1000-memory.dmpFilesize
4KB
-
memory/3204-133-0x00000000073A0000-0x00000000073A1000-memory.dmpFilesize
4KB
-
memory/3204-134-0x0000000006E70000-0x0000000006E71000-memory.dmpFilesize
4KB
-
memory/3204-126-0x0000000005CB0000-0x0000000005CB1000-memory.dmpFilesize
4KB