Analysis
-
max time kernel
101s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-09-2021 06:00
Static task
static1
General
-
Target
b6a6c9978ed365583d452a7ae13b2ad992bf61093dbe249a5ddbb35d75b2433f.exe
-
Size
371KB
-
MD5
9d8123347e8a40e913eaafe295420fbe
-
SHA1
27135c12b82757683393d09d6a9555d12c1421f8
-
SHA256
b6a6c9978ed365583d452a7ae13b2ad992bf61093dbe249a5ddbb35d75b2433f
-
SHA512
0f4b5d71568125bae3102d63eeb701b8e7d15ae315f07b970ecc9cd9a0d61945ed1241e56f171b573447aa24125170712221af65ed904f7ab42e9b8116adcdb4
Malware Config
Extracted
redline
10fk
185.45.192.203:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4800-116-0x0000000003690000-0x00000000036AF000-memory.dmp family_redline behavioral1/memory/4800-119-0x0000000003870000-0x000000000388E000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b6a6c9978ed365583d452a7ae13b2ad992bf61093dbe249a5ddbb35d75b2433f.exepid process 4800 b6a6c9978ed365583d452a7ae13b2ad992bf61093dbe249a5ddbb35d75b2433f.exe 4800 b6a6c9978ed365583d452a7ae13b2ad992bf61093dbe249a5ddbb35d75b2433f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b6a6c9978ed365583d452a7ae13b2ad992bf61093dbe249a5ddbb35d75b2433f.exedescription pid process Token: SeDebugPrivilege 4800 b6a6c9978ed365583d452a7ae13b2ad992bf61093dbe249a5ddbb35d75b2433f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6a6c9978ed365583d452a7ae13b2ad992bf61093dbe249a5ddbb35d75b2433f.exe"C:\Users\Admin\AppData\Local\Temp\b6a6c9978ed365583d452a7ae13b2ad992bf61093dbe249a5ddbb35d75b2433f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4800-114-0x0000000001930000-0x0000000001960000-memory.dmpFilesize
192KB
-
memory/4800-115-0x0000000000400000-0x0000000001794000-memory.dmpFilesize
19.6MB
-
memory/4800-116-0x0000000003690000-0x00000000036AF000-memory.dmpFilesize
124KB
-
memory/4800-117-0x0000000006100000-0x0000000006101000-memory.dmpFilesize
4KB
-
memory/4800-118-0x0000000006110000-0x0000000006111000-memory.dmpFilesize
4KB
-
memory/4800-119-0x0000000003870000-0x000000000388E000-memory.dmpFilesize
120KB
-
memory/4800-120-0x0000000006610000-0x0000000006611000-memory.dmpFilesize
4KB
-
memory/4800-121-0x0000000006102000-0x0000000006103000-memory.dmpFilesize
4KB
-
memory/4800-122-0x0000000006103000-0x0000000006104000-memory.dmpFilesize
4KB
-
memory/4800-123-0x0000000003B10000-0x0000000003B11000-memory.dmpFilesize
4KB
-
memory/4800-124-0x0000000005F10000-0x0000000005F11000-memory.dmpFilesize
4KB
-
memory/4800-125-0x0000000006020000-0x0000000006021000-memory.dmpFilesize
4KB
-
memory/4800-126-0x0000000006104000-0x0000000006106000-memory.dmpFilesize
8KB
-
memory/4800-127-0x0000000006070000-0x0000000006071000-memory.dmpFilesize
4KB
-
memory/4800-128-0x0000000007DB0000-0x0000000007DB1000-memory.dmpFilesize
4KB
-
memory/4800-129-0x0000000007F80000-0x0000000007F81000-memory.dmpFilesize
4KB
-
memory/4800-130-0x00000000085A0000-0x00000000085A1000-memory.dmpFilesize
4KB
-
memory/4800-131-0x0000000008890000-0x0000000008891000-memory.dmpFilesize
4KB
-
memory/4800-132-0x0000000008980000-0x0000000008981000-memory.dmpFilesize
4KB
-
memory/4800-133-0x0000000008A60000-0x0000000008A61000-memory.dmpFilesize
4KB
-
memory/4800-134-0x00000000098C0000-0x00000000098C1000-memory.dmpFilesize
4KB