Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 09:05
Static task
static1
Behavioral task
behavioral1
Sample
usfive_20211021-084805.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
usfive_20211021-084805.exe
Resource
win10-en-20211014
General
-
Target
usfive_20211021-084805.exe
-
Size
337KB
-
MD5
a371cb8030ecb71c1246359e86e45fe6
-
SHA1
8cc4982a22d833799906bd8c9616385142386407
-
SHA256
f8f717beb9b7de0b20ef86dcabc3a7b107fcfd933daa17899ff95dce53ba6db8
-
SHA512
8875fb83ce689f5f8dced5cbde2e40cdc9adfbf716f34770bdc747e0ef47d3766c91c1c9c30a1638381617e47bf8650d4909b24822e957102cffc5aa58338100
Malware Config
Extracted
redline
netlyvpn evadav
94.103.9.181:25749
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2012-56-0x0000000004840000-0x000000000485F000-memory.dmp family_redline behavioral1/memory/2012-57-0x00000000048C0000-0x00000000048DD000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
usfive_20211021-084805.exepid process 2012 usfive_20211021-084805.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
usfive_20211021-084805.exedescription pid process Token: SeDebugPrivilege 2012 usfive_20211021-084805.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2012-53-0x00000000003C0000-0x00000000003E2000-memory.dmpFilesize
136KB
-
memory/2012-54-0x0000000002F20000-0x0000000002F50000-memory.dmpFilesize
192KB
-
memory/2012-55-0x0000000000400000-0x0000000002F1B000-memory.dmpFilesize
43.1MB
-
memory/2012-56-0x0000000004840000-0x000000000485F000-memory.dmpFilesize
124KB
-
memory/2012-57-0x00000000048C0000-0x00000000048DD000-memory.dmpFilesize
116KB
-
memory/2012-58-0x0000000007361000-0x0000000007362000-memory.dmpFilesize
4KB
-
memory/2012-60-0x0000000007363000-0x0000000007364000-memory.dmpFilesize
4KB
-
memory/2012-59-0x0000000007362000-0x0000000007363000-memory.dmpFilesize
4KB
-
memory/2012-61-0x0000000007364000-0x0000000007366000-memory.dmpFilesize
8KB