Analysis
-
max time kernel
64s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-09-2021 21:02
Static task
static1
General
-
Target
5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exe
-
Size
402KB
-
MD5
454ed4e5b18d9a3b849174b54582f8b5
-
SHA1
dab955c4b50cd7c617a0266540904b77e87b95ac
-
SHA256
5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0
-
SHA512
801318bbe8350b19eea17ed1f5a770e4b4b5191f39153398fab0ea8bbfce975484e65c4021982147448b8a59e92caa1e478f659fda5ffaf175b4cf714015136e
Malware Config
Extracted
redline
10fk
185.45.192.203:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1832-116-0x00000000036D0000-0x00000000036EF000-memory.dmp family_redline behavioral1/memory/1832-121-0x00000000039B0000-0x00000000039CE000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exepid process 1832 5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exe 1832 5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exedescription pid process Token: SeDebugPrivilege 1832 5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exe"C:\Users\Admin\AppData\Local\Temp\5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1832-114-0x0000000001A30000-0x0000000001A60000-memory.dmpFilesize
192KB
-
memory/1832-115-0x0000000000400000-0x000000000179C000-memory.dmpFilesize
19.6MB
-
memory/1832-116-0x00000000036D0000-0x00000000036EF000-memory.dmpFilesize
124KB
-
memory/1832-117-0x0000000005F80000-0x0000000005F81000-memory.dmpFilesize
4KB
-
memory/1832-118-0x0000000005F70000-0x0000000005F71000-memory.dmpFilesize
4KB
-
memory/1832-120-0x0000000005F73000-0x0000000005F74000-memory.dmpFilesize
4KB
-
memory/1832-119-0x0000000005F72000-0x0000000005F73000-memory.dmpFilesize
4KB
-
memory/1832-121-0x00000000039B0000-0x00000000039CE000-memory.dmpFilesize
120KB
-
memory/1832-122-0x0000000006480000-0x0000000006481000-memory.dmpFilesize
4KB
-
memory/1832-123-0x0000000005EB0000-0x0000000005EB1000-memory.dmpFilesize
4KB
-
memory/1832-124-0x0000000006A90000-0x0000000006A91000-memory.dmpFilesize
4KB
-
memory/1832-125-0x0000000005F74000-0x0000000005F76000-memory.dmpFilesize
8KB
-
memory/1832-126-0x0000000005EE0000-0x0000000005EE1000-memory.dmpFilesize
4KB
-
memory/1832-127-0x0000000006BA0000-0x0000000006BA1000-memory.dmpFilesize
4KB
-
memory/1832-128-0x0000000007DB0000-0x0000000007DB1000-memory.dmpFilesize
4KB
-
memory/1832-129-0x0000000007F80000-0x0000000007F81000-memory.dmpFilesize
4KB
-
memory/1832-130-0x00000000085A0000-0x00000000085A1000-memory.dmpFilesize
4KB
-
memory/1832-131-0x0000000008900000-0x0000000008901000-memory.dmpFilesize
4KB
-
memory/1832-132-0x00000000089B0000-0x00000000089B1000-memory.dmpFilesize
4KB
-
memory/1832-133-0x0000000008980000-0x0000000008981000-memory.dmpFilesize
4KB
-
memory/1832-134-0x0000000008C80000-0x0000000008C81000-memory.dmpFilesize
4KB