Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
17-10-2021 13:33
Static task
static1
General
-
Target
4fb021494e505cab99ecdfd3cbebfeb3910eaa5380ad952ff4ae6016f4b78f22.exe
-
Size
406KB
-
MD5
43d7a10f18c09e79b5210d5643d289f7
-
SHA1
acd59f2d1e3d65445b2a1189c3676bd1417aba2d
-
SHA256
4fb021494e505cab99ecdfd3cbebfeb3910eaa5380ad952ff4ae6016f4b78f22
-
SHA512
849d27e9aff75e169ea9a1b3219fff9c7bf2b3d48278d2191cd5a9a5c9fa2760bc0057dc49dd7bd00227d5931ef13c3299f68942fa1aa7adfeca5162ccb6b4da
Malware Config
Extracted
redline
sewPalp
185.215.113.29:24645
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1680-116-0x00000000009F0000-0x0000000000A0F000-memory.dmp family_redline behavioral1/memory/1680-118-0x0000000002750000-0x000000000276D000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4fb021494e505cab99ecdfd3cbebfeb3910eaa5380ad952ff4ae6016f4b78f22.exedescription pid process Token: SeDebugPrivilege 1680 4fb021494e505cab99ecdfd3cbebfeb3910eaa5380ad952ff4ae6016f4b78f22.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1680-115-0x0000000000A26000-0x0000000000A49000-memory.dmpFilesize
140KB
-
memory/1680-116-0x00000000009F0000-0x0000000000A0F000-memory.dmpFilesize
124KB
-
memory/1680-117-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/1680-118-0x0000000002750000-0x000000000276D000-memory.dmpFilesize
116KB
-
memory/1680-119-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/1680-120-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/1680-121-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/1680-122-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/1680-123-0x0000000000900000-0x0000000000930000-memory.dmpFilesize
192KB
-
memory/1680-124-0x0000000000400000-0x0000000000797000-memory.dmpFilesize
3.6MB
-
memory/1680-125-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/1680-126-0x0000000005032000-0x0000000005033000-memory.dmpFilesize
4KB
-
memory/1680-127-0x0000000005033000-0x0000000005034000-memory.dmpFilesize
4KB
-
memory/1680-128-0x0000000005034000-0x0000000005036000-memory.dmpFilesize
8KB
-
memory/1680-129-0x0000000005B90000-0x0000000005B91000-memory.dmpFilesize
4KB
-
memory/1680-130-0x00000000067B0000-0x00000000067B1000-memory.dmpFilesize
4KB
-
memory/1680-131-0x0000000006980000-0x0000000006981000-memory.dmpFilesize
4KB
-
memory/1680-132-0x0000000006FB0000-0x0000000006FB1000-memory.dmpFilesize
4KB
-
memory/1680-133-0x0000000007310000-0x0000000007311000-memory.dmpFilesize
4KB
-
memory/1680-134-0x0000000007410000-0x0000000007411000-memory.dmpFilesize
4KB
-
memory/1680-135-0x00000000074C0000-0x00000000074C1000-memory.dmpFilesize
4KB