Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-10-2021 22:30
Static task
static1
General
-
Target
bd620bb07d9ca3cc5e7e6ccc288cee8772b36dceac3dc73afefdbc554656f218.exe
-
Size
337KB
-
MD5
d65d1c59b9c5c5052fd7e0320437e984
-
SHA1
a8dcc1059e8d563c7efeb81308d6466257340013
-
SHA256
bd620bb07d9ca3cc5e7e6ccc288cee8772b36dceac3dc73afefdbc554656f218
-
SHA512
6da24f617f510008d26aeceab26a7d47d34693dfb8c471430463ddfb72b80b0a495ef99dc5a91b6f5ef9ef62fcefe649e4d9caad8b8a54af78ee0d68d0720c02
Malware Config
Extracted
redline
PUB
45.9.20.182:52236
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1420-118-0x0000000004F90000-0x0000000004FAF000-memory.dmp family_redline behavioral1/memory/1420-122-0x0000000005120000-0x000000000513D000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bd620bb07d9ca3cc5e7e6ccc288cee8772b36dceac3dc73afefdbc554656f218.exedescription pid process Token: SeDebugPrivilege 1420 bd620bb07d9ca3cc5e7e6ccc288cee8772b36dceac3dc73afefdbc554656f218.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1420-115-0x00000000030D9000-0x00000000030FC000-memory.dmpFilesize
140KB
-
memory/1420-116-0x0000000002FB0000-0x00000000030FA000-memory.dmpFilesize
1.3MB
-
memory/1420-117-0x0000000000400000-0x0000000002F1C000-memory.dmpFilesize
43.1MB
-
memory/1420-118-0x0000000004F90000-0x0000000004FAF000-memory.dmpFilesize
124KB
-
memory/1420-119-0x0000000007810000-0x0000000007811000-memory.dmpFilesize
4KB
-
memory/1420-120-0x0000000007812000-0x0000000007813000-memory.dmpFilesize
4KB
-
memory/1420-121-0x0000000007820000-0x0000000007821000-memory.dmpFilesize
4KB
-
memory/1420-122-0x0000000005120000-0x000000000513D000-memory.dmpFilesize
116KB
-
memory/1420-123-0x0000000007D20000-0x0000000007D21000-memory.dmpFilesize
4KB
-
memory/1420-124-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/1420-125-0x0000000007813000-0x0000000007814000-memory.dmpFilesize
4KB
-
memory/1420-126-0x00000000076D0000-0x00000000076D1000-memory.dmpFilesize
4KB
-
memory/1420-127-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/1420-128-0x0000000007814000-0x0000000007816000-memory.dmpFilesize
8KB
-
memory/1420-129-0x0000000008330000-0x0000000008331000-memory.dmpFilesize
4KB
-
memory/1420-130-0x0000000008F30000-0x0000000008F31000-memory.dmpFilesize
4KB
-
memory/1420-131-0x0000000009100000-0x0000000009101000-memory.dmpFilesize
4KB
-
memory/1420-132-0x0000000009730000-0x0000000009731000-memory.dmpFilesize
4KB
-
memory/1420-133-0x0000000009A90000-0x0000000009A91000-memory.dmpFilesize
4KB
-
memory/1420-134-0x0000000009B90000-0x0000000009B91000-memory.dmpFilesize
4KB
-
memory/1420-135-0x0000000009C40000-0x0000000009C41000-memory.dmpFilesize
4KB