Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 04:00
Static task
static1
General
-
Target
6df8b8bd673ce9613ef3eed8348a8ee415ede3f3d28517eda41d83d34646ddb9.exe
-
Size
337KB
-
MD5
3060a63d902aa397451eb87fe9e6ed53
-
SHA1
7fa10b5779a0ce63a59b96ee943e1da9d43f1d72
-
SHA256
6df8b8bd673ce9613ef3eed8348a8ee415ede3f3d28517eda41d83d34646ddb9
-
SHA512
05f290689561561f29c6e4a72811c5ebed70a7800e3fa742be0c514ac401288d850563d285f01e509b9f0335cf8df057b3d92342767375a56024c6508eed4697
Malware Config
Extracted
redline
UTS
45.9.20.182:52236
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3512-117-0x0000000004F00000-0x0000000004F1F000-memory.dmp family_redline behavioral1/memory/3512-119-0x0000000005010000-0x000000000502D000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6df8b8bd673ce9613ef3eed8348a8ee415ede3f3d28517eda41d83d34646ddb9.exedescription pid process Token: SeDebugPrivilege 3512 6df8b8bd673ce9613ef3eed8348a8ee415ede3f3d28517eda41d83d34646ddb9.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3512-116-0x0000000004C80000-0x0000000004CB0000-memory.dmpFilesize
192KB
-
memory/3512-115-0x0000000004C50000-0x0000000004C72000-memory.dmpFilesize
136KB
-
memory/3512-117-0x0000000004F00000-0x0000000004F1F000-memory.dmpFilesize
124KB
-
memory/3512-118-0x0000000007710000-0x0000000007711000-memory.dmpFilesize
4KB
-
memory/3512-119-0x0000000005010000-0x000000000502D000-memory.dmpFilesize
116KB
-
memory/3512-120-0x0000000007C10000-0x0000000007C11000-memory.dmpFilesize
4KB
-
memory/3512-121-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/3512-122-0x0000000008220000-0x0000000008221000-memory.dmpFilesize
4KB
-
memory/3512-124-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/3512-123-0x0000000000400000-0x0000000002F1B000-memory.dmpFilesize
43.1MB
-
memory/3512-125-0x0000000004D32000-0x0000000004D33000-memory.dmpFilesize
4KB
-
memory/3512-126-0x0000000004D33000-0x0000000004D34000-memory.dmpFilesize
4KB
-
memory/3512-127-0x0000000004D34000-0x0000000004D36000-memory.dmpFilesize
8KB
-
memory/3512-128-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/3512-129-0x0000000008340000-0x0000000008341000-memory.dmpFilesize
4KB
-
memory/3512-130-0x0000000009420000-0x0000000009421000-memory.dmpFilesize
4KB
-
memory/3512-131-0x00000000095F0000-0x00000000095F1000-memory.dmpFilesize
4KB
-
memory/3512-132-0x0000000009B20000-0x0000000009B21000-memory.dmpFilesize
4KB
-
memory/3512-133-0x0000000009E40000-0x0000000009E41000-memory.dmpFilesize
4KB
-
memory/3512-134-0x0000000009F10000-0x0000000009F11000-memory.dmpFilesize
4KB
-
memory/3512-135-0x0000000009FB0000-0x0000000009FB1000-memory.dmpFilesize
4KB