Analysis
-
max time kernel
71s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
18-10-2021 16:03
Static task
static1
General
-
Target
579214390f165480aa3ff4991f1a6eb8b6d946dc02e9ecc075a7b816e9ffdfba.exe
-
Size
808KB
-
MD5
0f7db123d145142719c707374a5848a4
-
SHA1
b2a03dbf263d4a50caf841fbb00ffa8f0f071ee1
-
SHA256
579214390f165480aa3ff4991f1a6eb8b6d946dc02e9ecc075a7b816e9ffdfba
-
SHA512
0e5e7dd009452dbb7e32ee34f65e4a2336f20ca19f596c3ba82131d130a0ce9bf6b7f15e4258de1f1eb5b932f9b499e95bf15c05dd096d0160427d3161f744c1
Malware Config
Extracted
redline
01
176.57.71.68:37814
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2476-115-0x0000000000810000-0x0000000000841000-memory.dmp family_redline behavioral1/memory/2476-121-0x0000000002A90000-0x0000000002AAC000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
579214390f165480aa3ff4991f1a6eb8b6d946dc02e9ecc075a7b816e9ffdfba.exepid process 2476 579214390f165480aa3ff4991f1a6eb8b6d946dc02e9ecc075a7b816e9ffdfba.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
579214390f165480aa3ff4991f1a6eb8b6d946dc02e9ecc075a7b816e9ffdfba.exedescription pid process Token: SeDebugPrivilege 2476 579214390f165480aa3ff4991f1a6eb8b6d946dc02e9ecc075a7b816e9ffdfba.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\579214390f165480aa3ff4991f1a6eb8b6d946dc02e9ecc075a7b816e9ffdfba.exe"C:\Users\Admin\AppData\Local\Temp\579214390f165480aa3ff4991f1a6eb8b6d946dc02e9ecc075a7b816e9ffdfba.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2476-115-0x0000000000810000-0x0000000000841000-memory.dmpFilesize
196KB
-
memory/2476-121-0x0000000002A90000-0x0000000002AAC000-memory.dmpFilesize
112KB
-
memory/2476-124-0x0000000002CB2000-0x0000000002CB3000-memory.dmpFilesize
4KB
-
memory/2476-123-0x0000000002CB0000-0x0000000002CB1000-memory.dmpFilesize
4KB
-
memory/2476-125-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/2476-126-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/2476-127-0x0000000002BF0000-0x0000000002BF1000-memory.dmpFilesize
4KB
-
memory/2476-128-0x0000000002CB3000-0x0000000002CB4000-memory.dmpFilesize
4KB
-
memory/2476-129-0x0000000002D00000-0x0000000002D01000-memory.dmpFilesize
4KB
-
memory/2476-130-0x00000000061B0000-0x00000000061B1000-memory.dmpFilesize
4KB
-
memory/2476-131-0x0000000007A20000-0x0000000007A21000-memory.dmpFilesize
4KB
-
memory/2476-132-0x0000000002CB4000-0x0000000002CB5000-memory.dmpFilesize
4KB
-
memory/2476-133-0x0000000007AA0000-0x0000000007AA1000-memory.dmpFilesize
4KB
-
memory/2476-134-0x0000000008B70000-0x0000000008B71000-memory.dmpFilesize
4KB
-
memory/2476-135-0x0000000008D40000-0x0000000008D41000-memory.dmpFilesize
4KB
-
memory/2476-136-0x0000000009360000-0x0000000009361000-memory.dmpFilesize
4KB
-
memory/2476-137-0x0000000009650000-0x0000000009651000-memory.dmpFilesize
4KB
-
memory/2476-138-0x00000000097A0000-0x00000000097A1000-memory.dmpFilesize
4KB
-
memory/2476-139-0x000000000A500000-0x000000000A501000-memory.dmpFilesize
4KB