Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 09:20
General
-
Target
2f802aab0b83ba927a253910e4fb2a071f39c5515d08e29be2c2a687771be0d5.exe
-
Size
16KB
-
MD5
1d7c16cf49e3cbafa8ffb3872b17792b
-
SHA1
164149a2298e3ae54ac91cde92e88b88cea1f5f5
-
SHA256
2f802aab0b83ba927a253910e4fb2a071f39c5515d08e29be2c2a687771be0d5
-
SHA512
3dab9da577095a2008d0d3947b80d5719c74df5c4b7e48a9aad63c3843e1b0930298dcbf03a1b32c6eae9da7e43749401d2edfcb80949b28c3262fb1e3811df5
Malware Config
Extracted
redline
@alan_miller102
194.15.46.144:36848
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f802aab0b83ba927a253910e4fb2a071f39c5515d08e29be2c2a687771be0d5.exe"C:\Users\Admin\AppData\Local\Temp\2f802aab0b83ba927a253910e4fb2a071f39c5515d08e29be2c2a687771be0d5.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Stub.exe"C:\ProgramData\Stub.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Stub.exeMD5
96dce028459cf26be5816b14c6b14484
SHA1e0a93d63ebc7e56459005d911edece66987531dd
SHA256e7d036c77c92bcc5773be4c2f4b4476282f36c0c05f45ab5b3bf2d275270cf06
SHA512d37089834b5c662eebb9f7efce8fd61a62018ded5c45d5405e72dab5e844744f548980ec6265e184c82ff52505fa3189c195c5f8ea62a70260b9ab986ae2188e
-
C:\ProgramData\Stub.exeMD5
96dce028459cf26be5816b14c6b14484
SHA1e0a93d63ebc7e56459005d911edece66987531dd
SHA256e7d036c77c92bcc5773be4c2f4b4476282f36c0c05f45ab5b3bf2d275270cf06
SHA512d37089834b5c662eebb9f7efce8fd61a62018ded5c45d5405e72dab5e844744f548980ec6265e184c82ff52505fa3189c195c5f8ea62a70260b9ab986ae2188e
-
memory/3320-117-0x0000000005900000-0x0000000005901000-memory.dmpFilesize
4KB
-
memory/3320-115-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/4100-127-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/4100-128-0x0000000005210000-0x0000000005816000-memory.dmpFilesize
6.0MB
-
memory/4100-123-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/4100-124-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/4100-125-0x00000000053F0000-0x00000000053F1000-memory.dmpFilesize
4KB
-
memory/4100-126-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/4100-118-0x0000000000000000-mapping.dmp
-
memory/4100-121-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB
-
memory/4100-129-0x0000000006D30000-0x0000000006D31000-memory.dmpFilesize
4KB
-
memory/4100-130-0x0000000007430000-0x0000000007431000-memory.dmpFilesize
4KB
-
memory/4100-131-0x0000000007960000-0x0000000007961000-memory.dmpFilesize
4KB
-
memory/4100-132-0x0000000006F00000-0x0000000006F01000-memory.dmpFilesize
4KB
-
memory/4100-133-0x0000000007130000-0x0000000007131000-memory.dmpFilesize
4KB
-
memory/4100-134-0x0000000007250000-0x0000000007251000-memory.dmpFilesize
4KB
-
memory/4100-135-0x0000000007110000-0x0000000007111000-memory.dmpFilesize
4KB
-
memory/4100-136-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB