Analysis
-
max time kernel
51s -
max time network
59s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
01-10-2021 05:08
Static task
static1
Behavioral task
behavioral1
Sample
19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe
Resource
win7v20210408
General
-
Target
19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe
-
Size
313KB
-
MD5
a61020210efb3d65c3ee06d385dd979c
-
SHA1
5ac0ce24fb565fd5000d50f92ed9c59bd409a4ce
-
SHA256
19d390fbe3da552929498622c2588a3bcba4cf9c13b8fe98503f94fe6ce5fa38
-
SHA512
fae97e45a302d68c70d49b85fdcdbd34ea2a044ac8faee2fcbd9bf476f61e7687dd6f9c0398e1bc8f1c2a7c2b57271e9ffdf3d7138cbcbf4211ceb40954f57e5
Malware Config
Extracted
redline
build1
77.232.36.199:32336
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1796-62-0x0000000000310000-0x000000000032F000-memory.dmp family_redline behavioral1/memory/1796-63-0x00000000003E0000-0x00000000003FE000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exepid process 1796 19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe 1796 19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exedescription pid process Token: SeDebugPrivilege 1796 19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1796-60-0x0000000000220000-0x0000000000250000-memory.dmpFilesize
192KB
-
memory/1796-61-0x0000000000400000-0x000000000087E000-memory.dmpFilesize
4.5MB
-
memory/1796-62-0x0000000000310000-0x000000000032F000-memory.dmpFilesize
124KB
-
memory/1796-63-0x00000000003E0000-0x00000000003FE000-memory.dmpFilesize
120KB
-
memory/1796-64-0x00000000025F1000-0x00000000025F2000-memory.dmpFilesize
4KB
-
memory/1796-65-0x00000000025F2000-0x00000000025F3000-memory.dmpFilesize
4KB
-
memory/1796-66-0x00000000025F3000-0x00000000025F4000-memory.dmpFilesize
4KB
-
memory/1796-67-0x00000000025F4000-0x00000000025F6000-memory.dmpFilesize
8KB