Analysis
-
max time kernel
21s -
max time network
68s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 03:21
General
-
Target
704DF199EB1B0154A645C60364A8A28C.exe
-
Size
943KB
-
MD5
704df199eb1b0154a645c60364a8a28c
-
SHA1
5810a3118f77af1e9b2ea0c0a658244a1b6d2de6
-
SHA256
7a875017c121897c46818f9388f3c8cad4ac574a3b217c1a056f74b333f138c6
-
SHA512
70b3eccce060dc43bac69f4aaacf646d64d96314edd4bb2e45543d41bd5fa0546e314420f1ec6fee33fb7ecf48284b415a4de864c681aaec817fcd3db535c53e
Malware Config
Extracted
redline
Game#2
185.170.213.254:56663
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\704DF199EB1B0154A645C60364A8A28C.exe"C:\Users\Admin\AppData\Local\Temp\704DF199EB1B0154A645C60364A8A28C.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\704DF199EB1B0154A645C60364A8A28C.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\704DF199EB1B0154A645C60364A8A28C.exe.logMD5
eee751e7d08a15f861b3dbf7fe7e76fb
SHA1b54a0b5c94b8f199e296ff178f47f6501a901bae
SHA256edd33d14ad8796b7da96d4e0b464596b1740c9a356fa7e19abebe1fc30fdb580
SHA512743fe2b83df6cbd125d25c5f251f4a5d0d701751f14f66b650e3745dcb0fd14b5e7826fc2de32717afabc36770986ff0f2fcfb4864f968c9b5fa6857b8986113
-
memory/652-119-0x0000000000F00000-0x0000000000F03000-memory.dmpFilesize
12KB
-
memory/652-116-0x00000000074A0000-0x0000000007632000-memory.dmpFilesize
1.6MB
-
memory/652-114-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/652-118-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/652-120-0x00000000078E0000-0x00000000078E1000-memory.dmpFilesize
4KB
-
memory/652-117-0x0000000007D40000-0x0000000007D41000-memory.dmpFilesize
4KB
-
memory/3204-121-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3204-122-0x0000000000417DFE-mapping.dmp
-
memory/3204-136-0x00000000071E0000-0x00000000071E1000-memory.dmpFilesize
4KB
-
memory/3204-128-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/3204-127-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/3204-129-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/3204-130-0x00000000056A0000-0x0000000005CA6000-memory.dmpFilesize
6.0MB
-
memory/3204-131-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/3204-132-0x0000000006CA0000-0x0000000006CA1000-memory.dmpFilesize
4KB
-
memory/3204-133-0x00000000073A0000-0x00000000073A1000-memory.dmpFilesize
4KB
-
memory/3204-134-0x0000000006E70000-0x0000000006E71000-memory.dmpFilesize
4KB
-
memory/3204-126-0x0000000005CB0000-0x0000000005CB1000-memory.dmpFilesize
4KB