Analysis
-
max time kernel
16s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-08-2021 22:30
Static task
static1
General
-
Target
8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe
-
Size
377KB
-
MD5
da3d8058c36f4b3b423deb03b4379414
-
SHA1
03a817be59608078d08d9442fb16380735016818
-
SHA256
8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2
-
SHA512
c292766420203cbfc25427444efe17baf6f424c2891a8413936c3ee968ea088bb7e97212f3e20039f2b647e6984deaa123c91a06dc19c8d08531e04c3c776668
Malware Config
Extracted
redline
Focus1
135.148.139.222:33569
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4052-120-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/4052-121-0x0000000000418E5A-mapping.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exedescription pid process target process PID 2752 set thread context of 4052 2752 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exepid process 4052 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe 4052 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exedescription pid process Token: SeDebugPrivilege 4052 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exedescription pid process target process PID 2752 wrote to memory of 4052 2752 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe PID 2752 wrote to memory of 4052 2752 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe PID 2752 wrote to memory of 4052 2752 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe PID 2752 wrote to memory of 4052 2752 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe PID 2752 wrote to memory of 4052 2752 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe PID 2752 wrote to memory of 4052 2752 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe PID 2752 wrote to memory of 4052 2752 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe PID 2752 wrote to memory of 4052 2752 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe"C:\Users\Admin\AppData\Local\Temp\8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exeC:\Users\Admin\AppData\Local\Temp\8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
memory/2752-116-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/2752-117-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/2752-118-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/2752-119-0x00000000054A0000-0x0000000005516000-memory.dmpFilesize
472KB
-
memory/2752-114-0x0000000000CE0000-0x0000000000CE1000-memory.dmpFilesize
4KB
-
memory/4052-125-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/4052-121-0x0000000000418E5A-mapping.dmp
-
memory/4052-120-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4052-126-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/4052-127-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/4052-128-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/4052-129-0x0000000005290000-0x0000000005896000-memory.dmpFilesize
6.0MB
-
memory/4052-130-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/4052-131-0x0000000006900000-0x0000000006901000-memory.dmpFilesize
4KB
-
memory/4052-132-0x0000000007000000-0x0000000007001000-memory.dmpFilesize
4KB
-
memory/4052-133-0x0000000006860000-0x0000000006861000-memory.dmpFilesize
4KB
-
memory/4052-135-0x0000000006D80000-0x0000000006D81000-memory.dmpFilesize
4KB