Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 21:30
General
-
Target
e64ff63cb54ce8ac793e7534a161dd9e81e0d7a0092c1b391d8a1ace10172d05.exe
-
Size
415KB
-
MD5
e56f00972a51ea456baf0857b8b30017
-
SHA1
9198f25c328b99d7b86e2b35ff491e86d7f86176
-
SHA256
e64ff63cb54ce8ac793e7534a161dd9e81e0d7a0092c1b391d8a1ace10172d05
-
SHA512
9c3ae58c216189fe474a54fd4636983fd43a62f52e5856aac03352f5543a3d28cb1c13459abd0c0ad18bad69c6d95e1e00a0bf2f17a34e403be5850f9d86c166
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
PUB
C2
45.9.20.182:52236
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e64ff63cb54ce8ac793e7534a161dd9e81e0d7a0092c1b391d8a1ace10172d05.exe"C:\Users\Admin\AppData\Local\Temp\e64ff63cb54ce8ac793e7534a161dd9e81e0d7a0092c1b391d8a1ace10172d05.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1816-116-0x00000000001C0000-0x00000000001F0000-memory.dmpFilesize
192KB
-
memory/1816-117-0x0000000000400000-0x0000000002DBE000-memory.dmpFilesize
41.7MB
-
memory/1816-118-0x0000000004D50000-0x0000000004D6F000-memory.dmpFilesize
124KB
-
memory/1816-119-0x0000000007370000-0x0000000007371000-memory.dmpFilesize
4KB
-
memory/1816-120-0x0000000007360000-0x0000000007361000-memory.dmpFilesize
4KB
-
memory/1816-122-0x0000000007363000-0x0000000007364000-memory.dmpFilesize
4KB
-
memory/1816-121-0x0000000007362000-0x0000000007363000-memory.dmpFilesize
4KB
-
memory/1816-123-0x0000000004F60000-0x0000000004F7D000-memory.dmpFilesize
116KB
-
memory/1816-124-0x0000000007870000-0x0000000007871000-memory.dmpFilesize
4KB
-
memory/1816-125-0x0000000007EB0000-0x0000000007EB1000-memory.dmpFilesize
4KB
-
memory/1816-126-0x0000000007EE0000-0x0000000007EE1000-memory.dmpFilesize
4KB
-
memory/1816-127-0x0000000007FF0000-0x0000000007FF1000-memory.dmpFilesize
4KB
-
memory/1816-128-0x0000000007364000-0x0000000007366000-memory.dmpFilesize
8KB
-
memory/1816-129-0x0000000008070000-0x0000000008071000-memory.dmpFilesize
4KB
-
memory/1816-130-0x0000000008C90000-0x0000000008C91000-memory.dmpFilesize
4KB
-
memory/1816-131-0x0000000008E60000-0x0000000008E61000-memory.dmpFilesize
4KB
-
memory/1816-132-0x0000000009490000-0x0000000009491000-memory.dmpFilesize
4KB
-
memory/1816-133-0x00000000095A0000-0x00000000095A1000-memory.dmpFilesize
4KB
-
memory/1816-134-0x0000000009780000-0x0000000009781000-memory.dmpFilesize
4KB
-
memory/1816-135-0x00000000097E0000-0x00000000097E1000-memory.dmpFilesize
4KB