Analysis
-
max time kernel
16s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 17:01
Static task
static1
Behavioral task
behavioral1
Sample
9c475d84307dae5a6d5b9f5d219e6f8dd497952db2a4068399f6b1fe858802ea.exe
Resource
win10v20210410
General
-
Target
9c475d84307dae5a6d5b9f5d219e6f8dd497952db2a4068399f6b1fe858802ea.exe
-
Size
381KB
-
MD5
bad151b059bc5e64585c2e8da4ec1844
-
SHA1
0422653e96d107714ab6a00fcda6cbba180165ff
-
SHA256
9c475d84307dae5a6d5b9f5d219e6f8dd497952db2a4068399f6b1fe858802ea
-
SHA512
da8cc0048249ae254db8b0762ced25cd5f7a8307a5629231de2f50c90b8b8f79961f3236e22e5f6ab7aa29c57a52fcdc88bfcf975c8082b9108a2a52868b7a6b
Malware Config
Extracted
redline
SewPalpadin
185.215.113.114:8887
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/500-114-0x0000000002180000-0x000000000219B000-memory.dmp family_redline behavioral1/memory/500-116-0x0000000002650000-0x0000000002669000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
9c475d84307dae5a6d5b9f5d219e6f8dd497952db2a4068399f6b1fe858802ea.exepid process 500 9c475d84307dae5a6d5b9f5d219e6f8dd497952db2a4068399f6b1fe858802ea.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9c475d84307dae5a6d5b9f5d219e6f8dd497952db2a4068399f6b1fe858802ea.exedescription pid process Token: SeDebugPrivilege 500 9c475d84307dae5a6d5b9f5d219e6f8dd497952db2a4068399f6b1fe858802ea.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c475d84307dae5a6d5b9f5d219e6f8dd497952db2a4068399f6b1fe858802ea.exe"C:\Users\Admin\AppData\Local\Temp\9c475d84307dae5a6d5b9f5d219e6f8dd497952db2a4068399f6b1fe858802ea.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/500-114-0x0000000002180000-0x000000000219B000-memory.dmpFilesize
108KB
-
memory/500-115-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/500-116-0x0000000002650000-0x0000000002669000-memory.dmpFilesize
100KB
-
memory/500-117-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/500-118-0x0000000002710000-0x0000000002711000-memory.dmpFilesize
4KB
-
memory/500-120-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/500-119-0x0000000000480000-0x00000000005CA000-memory.dmpFilesize
1.3MB
-
memory/500-121-0x0000000002850000-0x0000000002851000-memory.dmpFilesize
4KB
-
memory/500-123-0x0000000002853000-0x0000000002854000-memory.dmpFilesize
4KB
-
memory/500-122-0x0000000002852000-0x0000000002853000-memory.dmpFilesize
4KB
-
memory/500-124-0x0000000002730000-0x0000000002731000-memory.dmpFilesize
4KB
-
memory/500-125-0x0000000002790000-0x0000000002791000-memory.dmpFilesize
4KB
-
memory/500-126-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/500-127-0x0000000002854000-0x0000000002856000-memory.dmpFilesize
8KB
-
memory/500-128-0x0000000006470000-0x0000000006471000-memory.dmpFilesize
4KB
-
memory/500-129-0x0000000006640000-0x0000000006641000-memory.dmpFilesize
4KB
-
memory/500-130-0x0000000006C90000-0x0000000006C91000-memory.dmpFilesize
4KB
-
memory/500-131-0x0000000006FE0000-0x0000000006FE1000-memory.dmpFilesize
4KB