Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 14:51
General
-
Target
1d7c16cf49e3cbafa8ffb3872b17792b.exe
-
Size
16KB
-
MD5
1d7c16cf49e3cbafa8ffb3872b17792b
-
SHA1
164149a2298e3ae54ac91cde92e88b88cea1f5f5
-
SHA256
2f802aab0b83ba927a253910e4fb2a071f39c5515d08e29be2c2a687771be0d5
-
SHA512
3dab9da577095a2008d0d3947b80d5719c74df5c4b7e48a9aad63c3843e1b0930298dcbf03a1b32c6eae9da7e43749401d2edfcb80949b28c3262fb1e3811df5
Malware Config
Extracted
redline
@alan_miller102
194.15.46.144:36848
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d7c16cf49e3cbafa8ffb3872b17792b.exe"C:\Users\Admin\AppData\Local\Temp\1d7c16cf49e3cbafa8ffb3872b17792b.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Stub.exe"C:\ProgramData\Stub.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Stub.exeMD5
96dce028459cf26be5816b14c6b14484
SHA1e0a93d63ebc7e56459005d911edece66987531dd
SHA256e7d036c77c92bcc5773be4c2f4b4476282f36c0c05f45ab5b3bf2d275270cf06
SHA512d37089834b5c662eebb9f7efce8fd61a62018ded5c45d5405e72dab5e844744f548980ec6265e184c82ff52505fa3189c195c5f8ea62a70260b9ab986ae2188e
-
C:\ProgramData\Stub.exeMD5
96dce028459cf26be5816b14c6b14484
SHA1e0a93d63ebc7e56459005d911edece66987531dd
SHA256e7d036c77c92bcc5773be4c2f4b4476282f36c0c05f45ab5b3bf2d275270cf06
SHA512d37089834b5c662eebb9f7efce8fd61a62018ded5c45d5405e72dab5e844744f548980ec6265e184c82ff52505fa3189c195c5f8ea62a70260b9ab986ae2188e
-
memory/2372-117-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/2372-115-0x00000000002E0000-0x00000000002E1000-memory.dmpFilesize
4KB
-
memory/2716-127-0x00000000052E0000-0x00000000058E6000-memory.dmpFilesize
6.0MB
-
memory/2716-128-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/2716-123-0x00000000058F0000-0x00000000058F1000-memory.dmpFilesize
4KB
-
memory/2716-124-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/2716-125-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/2716-126-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/2716-118-0x0000000000000000-mapping.dmp
-
memory/2716-121-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/2716-129-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2716-130-0x00000000075C0000-0x00000000075C1000-memory.dmpFilesize
4KB
-
memory/2716-131-0x0000000007090000-0x0000000007091000-memory.dmpFilesize
4KB
-
memory/2716-132-0x0000000007110000-0x0000000007111000-memory.dmpFilesize
4KB
-
memory/2716-133-0x0000000007FF0000-0x0000000007FF1000-memory.dmpFilesize
4KB
-
memory/2716-134-0x00000000072D0000-0x00000000072D1000-memory.dmpFilesize
4KB
-
memory/2716-135-0x00000000074C0000-0x00000000074C1000-memory.dmpFilesize
4KB
-
memory/2716-136-0x0000000008680000-0x0000000008681000-memory.dmpFilesize
4KB