Analysis
-
max time kernel
119s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 23:10
Static task
static1
General
-
Target
55ba1a8dbb38cee7ae183649ff99dafe9babd3a33e2b4a0fcfb2b3e923f43251.exe
-
Size
239KB
-
MD5
e3acfa8c179f5d01e9ec0c8d76bca030
-
SHA1
ef9648bb29f5fa8ecf5de0c202f2961d150f3a3d
-
SHA256
55ba1a8dbb38cee7ae183649ff99dafe9babd3a33e2b4a0fcfb2b3e923f43251
-
SHA512
139a5a94bd16cd33a1338e97739884b3fa0575f31efdcacbff1c939203660cd966fe82621855627bca43d368919589b8a0692cbc72602970acadab1875e719e5
Malware Config
Extracted
redline
PUB
45.9.20.20:13441
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2160-118-0x0000000002330000-0x000000000234F000-memory.dmp family_redline behavioral1/memory/2160-120-0x00000000024C0000-0x00000000024DE000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
55ba1a8dbb38cee7ae183649ff99dafe9babd3a33e2b4a0fcfb2b3e923f43251.exepid process 2160 55ba1a8dbb38cee7ae183649ff99dafe9babd3a33e2b4a0fcfb2b3e923f43251.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
55ba1a8dbb38cee7ae183649ff99dafe9babd3a33e2b4a0fcfb2b3e923f43251.exedescription pid process Token: SeDebugPrivilege 2160 55ba1a8dbb38cee7ae183649ff99dafe9babd3a33e2b4a0fcfb2b3e923f43251.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55ba1a8dbb38cee7ae183649ff99dafe9babd3a33e2b4a0fcfb2b3e923f43251.exe"C:\Users\Admin\AppData\Local\Temp\55ba1a8dbb38cee7ae183649ff99dafe9babd3a33e2b4a0fcfb2b3e923f43251.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2160-116-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2160-115-0x0000000000610000-0x000000000075A000-memory.dmpFilesize
1.3MB
-
memory/2160-117-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/2160-118-0x0000000002330000-0x000000000234F000-memory.dmpFilesize
124KB
-
memory/2160-119-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/2160-120-0x00000000024C0000-0x00000000024DE000-memory.dmpFilesize
120KB
-
memory/2160-121-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/2160-122-0x0000000002780000-0x0000000002781000-memory.dmpFilesize
4KB
-
memory/2160-123-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/2160-124-0x00000000028C0000-0x00000000028C1000-memory.dmpFilesize
4KB
-
memory/2160-125-0x0000000005920000-0x0000000005921000-memory.dmpFilesize
4KB
-
memory/2160-127-0x0000000004E03000-0x0000000004E04000-memory.dmpFilesize
4KB
-
memory/2160-126-0x0000000004E02000-0x0000000004E03000-memory.dmpFilesize
4KB
-
memory/2160-128-0x0000000004E04000-0x0000000004E06000-memory.dmpFilesize
8KB
-
memory/2160-129-0x0000000006AE0000-0x0000000006AE1000-memory.dmpFilesize
4KB
-
memory/2160-130-0x0000000006CB0000-0x0000000006CB1000-memory.dmpFilesize
4KB
-
memory/2160-131-0x00000000072D0000-0x00000000072D1000-memory.dmpFilesize
4KB
-
memory/2160-132-0x0000000007660000-0x0000000007661000-memory.dmpFilesize
4KB
-
memory/2160-133-0x0000000007760000-0x0000000007761000-memory.dmpFilesize
4KB
-
memory/2160-134-0x0000000007720000-0x0000000007721000-memory.dmpFilesize
4KB