Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 14:51
Static task
static1
Behavioral task
behavioral1
Sample
1d7c16cf49e3cbafa8ffb3872b17792b.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1d7c16cf49e3cbafa8ffb3872b17792b.exe
Resource
win10-en-20210920
General
-
Target
1d7c16cf49e3cbafa8ffb3872b17792b.exe
-
Size
16KB
-
MD5
1d7c16cf49e3cbafa8ffb3872b17792b
-
SHA1
164149a2298e3ae54ac91cde92e88b88cea1f5f5
-
SHA256
2f802aab0b83ba927a253910e4fb2a071f39c5515d08e29be2c2a687771be0d5
-
SHA512
3dab9da577095a2008d0d3947b80d5719c74df5c4b7e48a9aad63c3843e1b0930298dcbf03a1b32c6eae9da7e43749401d2edfcb80949b28c3262fb1e3811df5
Malware Config
Extracted
redline
@alan_miller102
194.15.46.144:36848
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\Stub.exe family_redline C:\ProgramData\Stub.exe family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
Stub.exepid process 2716 Stub.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Stub.exepid process 2716 Stub.exe 2716 Stub.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1d7c16cf49e3cbafa8ffb3872b17792b.exeStub.exedescription pid process Token: SeDebugPrivilege 2372 1d7c16cf49e3cbafa8ffb3872b17792b.exe Token: SeDebugPrivilege 2716 Stub.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1d7c16cf49e3cbafa8ffb3872b17792b.exedescription pid process target process PID 2372 wrote to memory of 2716 2372 1d7c16cf49e3cbafa8ffb3872b17792b.exe Stub.exe PID 2372 wrote to memory of 2716 2372 1d7c16cf49e3cbafa8ffb3872b17792b.exe Stub.exe PID 2372 wrote to memory of 2716 2372 1d7c16cf49e3cbafa8ffb3872b17792b.exe Stub.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d7c16cf49e3cbafa8ffb3872b17792b.exe"C:\Users\Admin\AppData\Local\Temp\1d7c16cf49e3cbafa8ffb3872b17792b.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Stub.exe"C:\ProgramData\Stub.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Stub.exeMD5
96dce028459cf26be5816b14c6b14484
SHA1e0a93d63ebc7e56459005d911edece66987531dd
SHA256e7d036c77c92bcc5773be4c2f4b4476282f36c0c05f45ab5b3bf2d275270cf06
SHA512d37089834b5c662eebb9f7efce8fd61a62018ded5c45d5405e72dab5e844744f548980ec6265e184c82ff52505fa3189c195c5f8ea62a70260b9ab986ae2188e
-
C:\ProgramData\Stub.exeMD5
96dce028459cf26be5816b14c6b14484
SHA1e0a93d63ebc7e56459005d911edece66987531dd
SHA256e7d036c77c92bcc5773be4c2f4b4476282f36c0c05f45ab5b3bf2d275270cf06
SHA512d37089834b5c662eebb9f7efce8fd61a62018ded5c45d5405e72dab5e844744f548980ec6265e184c82ff52505fa3189c195c5f8ea62a70260b9ab986ae2188e
-
memory/2372-117-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/2372-115-0x00000000002E0000-0x00000000002E1000-memory.dmpFilesize
4KB
-
memory/2716-127-0x00000000052E0000-0x00000000058E6000-memory.dmpFilesize
6.0MB
-
memory/2716-128-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/2716-123-0x00000000058F0000-0x00000000058F1000-memory.dmpFilesize
4KB
-
memory/2716-124-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/2716-125-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/2716-126-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/2716-118-0x0000000000000000-mapping.dmp
-
memory/2716-121-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/2716-129-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2716-130-0x00000000075C0000-0x00000000075C1000-memory.dmpFilesize
4KB
-
memory/2716-131-0x0000000007090000-0x0000000007091000-memory.dmpFilesize
4KB
-
memory/2716-132-0x0000000007110000-0x0000000007111000-memory.dmpFilesize
4KB
-
memory/2716-133-0x0000000007FF0000-0x0000000007FF1000-memory.dmpFilesize
4KB
-
memory/2716-134-0x00000000072D0000-0x00000000072D1000-memory.dmpFilesize
4KB
-
memory/2716-135-0x00000000074C0000-0x00000000074C1000-memory.dmpFilesize
4KB
-
memory/2716-136-0x0000000008680000-0x0000000008681000-memory.dmpFilesize
4KB