Analysis
-
max time kernel
78s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en -
submitted
14-09-2021 02:00
Static task
static1
General
-
Target
5b7865b9b1c270e09572cbe4de20f1a53fb9d47321e8690f2985e9786d89b169.exe
-
Size
371KB
-
MD5
011ba54432a3af0c7202ee99752af765
-
SHA1
f6eab0158e2bd577551790d551e7713c25a2cbc2
-
SHA256
5b7865b9b1c270e09572cbe4de20f1a53fb9d47321e8690f2985e9786d89b169
-
SHA512
d78220941d85d6d10832332bf06cf604b4e9b10858afc0788a287199d400c022b45239a48c9968edb927df81fb6df47accf3a3a8e9d889eb45ba88fa6ec69e94
Malware Config
Extracted
redline
10fk
185.45.192.203:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3332-115-0x0000000003590000-0x00000000035AF000-memory.dmp family_redline behavioral1/memory/3332-122-0x0000000003910000-0x000000000392E000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5b7865b9b1c270e09572cbe4de20f1a53fb9d47321e8690f2985e9786d89b169.exepid process 3332 5b7865b9b1c270e09572cbe4de20f1a53fb9d47321e8690f2985e9786d89b169.exe 3332 5b7865b9b1c270e09572cbe4de20f1a53fb9d47321e8690f2985e9786d89b169.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5b7865b9b1c270e09572cbe4de20f1a53fb9d47321e8690f2985e9786d89b169.exedescription pid process Token: SeDebugPrivilege 3332 5b7865b9b1c270e09572cbe4de20f1a53fb9d47321e8690f2985e9786d89b169.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b7865b9b1c270e09572cbe4de20f1a53fb9d47321e8690f2985e9786d89b169.exe"C:\Users\Admin\AppData\Local\Temp\5b7865b9b1c270e09572cbe4de20f1a53fb9d47321e8690f2985e9786d89b169.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3332-115-0x0000000003590000-0x00000000035AF000-memory.dmpFilesize
124KB
-
memory/3332-117-0x0000000000400000-0x0000000001794000-memory.dmpFilesize
19.6MB
-
memory/3332-116-0x00000000034C0000-0x00000000034F0000-memory.dmpFilesize
192KB
-
memory/3332-120-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3332-118-0x0000000005F33000-0x0000000005F34000-memory.dmpFilesize
4KB
-
memory/3332-119-0x0000000005F30000-0x0000000005F31000-memory.dmpFilesize
4KB
-
memory/3332-121-0x0000000005F32000-0x0000000005F33000-memory.dmpFilesize
4KB
-
memory/3332-122-0x0000000003910000-0x000000000392E000-memory.dmpFilesize
120KB
-
memory/3332-123-0x0000000006440000-0x0000000006441000-memory.dmpFilesize
4KB
-
memory/3332-124-0x0000000005EB0000-0x0000000005EB1000-memory.dmpFilesize
4KB
-
memory/3332-125-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/3332-126-0x0000000005F34000-0x0000000005F36000-memory.dmpFilesize
8KB
-
memory/3332-127-0x0000000005EE0000-0x0000000005EE1000-memory.dmpFilesize
4KB
-
memory/3332-128-0x0000000006B90000-0x0000000006B91000-memory.dmpFilesize
4KB
-
memory/3332-129-0x0000000007DB0000-0x0000000007DB1000-memory.dmpFilesize
4KB
-
memory/3332-130-0x0000000007F80000-0x0000000007F81000-memory.dmpFilesize
4KB
-
memory/3332-131-0x00000000085A0000-0x00000000085A1000-memory.dmpFilesize
4KB
-
memory/3332-132-0x0000000008960000-0x0000000008961000-memory.dmpFilesize
4KB
-
memory/3332-133-0x0000000008A30000-0x0000000008A31000-memory.dmpFilesize
4KB
-
memory/3332-134-0x00000000089F0000-0x00000000089F1000-memory.dmpFilesize
4KB
-
memory/3332-135-0x00000000099B0000-0x00000000099B1000-memory.dmpFilesize
4KB