Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 14:17
Static task
static1
Behavioral task
behavioral1
Sample
usfive_20211021-124624.exe
Resource
win7-en-20211014
General
-
Target
usfive_20211021-124624.exe
-
Size
333KB
-
MD5
d925816145cc18afdd4675c4846bc9a7
-
SHA1
9eb8dff855f515f3253eb2987679c462c9cab3e7
-
SHA256
6ccde99f9a922f30985bf697ef122d1bb102993590064544c6d0cda4f53cbdcc
-
SHA512
5caec99f2a47c64193707f5f3ccb74408eea98fd395d1fba4881f7ca39149ec3aa233ef4d85396e6e3be037bc293a138ea4e1d97528c72466e8d8c5a663f5326
Malware Config
Extracted
redline
oct21
94.103.9.181:25690
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2604-115-0x0000000004E00000-0x0000000004E1B000-memory.dmp family_redline behavioral2/memory/2604-117-0x0000000007AF0000-0x0000000007B0A000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
usfive_20211021-124624.exepid process 2604 usfive_20211021-124624.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
usfive_20211021-124624.exedescription pid process Token: SeDebugPrivilege 2604 usfive_20211021-124624.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2604-115-0x0000000004E00000-0x0000000004E1B000-memory.dmpFilesize
108KB
-
memory/2604-116-0x00000000075F0000-0x00000000075F1000-memory.dmpFilesize
4KB
-
memory/2604-117-0x0000000007AF0000-0x0000000007B0A000-memory.dmpFilesize
104KB
-
memory/2604-118-0x0000000007C50000-0x0000000007C51000-memory.dmpFilesize
4KB
-
memory/2604-119-0x0000000008260000-0x0000000008261000-memory.dmpFilesize
4KB
-
memory/2604-120-0x00000000083A0000-0x00000000083A1000-memory.dmpFilesize
4KB
-
memory/2604-121-0x00000000083C0000-0x00000000083C1000-memory.dmpFilesize
4KB
-
memory/2604-122-0x0000000003190000-0x00000000031B1000-memory.dmpFilesize
132KB
-
memory/2604-123-0x00000000031C0000-0x00000000031EF000-memory.dmpFilesize
188KB
-
memory/2604-124-0x0000000000400000-0x0000000002F1A000-memory.dmpFilesize
43.1MB
-
memory/2604-125-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/2604-126-0x0000000004E22000-0x0000000004E23000-memory.dmpFilesize
4KB
-
memory/2604-127-0x0000000004E23000-0x0000000004E24000-memory.dmpFilesize
4KB
-
memory/2604-128-0x0000000009BB0000-0x0000000009BB1000-memory.dmpFilesize
4KB
-
memory/2604-129-0x0000000009DB0000-0x0000000009DB1000-memory.dmpFilesize
4KB
-
memory/2604-130-0x0000000004E24000-0x0000000004E26000-memory.dmpFilesize
8KB
-
memory/2604-131-0x0000000009F40000-0x0000000009F41000-memory.dmpFilesize
4KB
-
memory/2604-132-0x0000000009FC0000-0x0000000009FC1000-memory.dmpFilesize
4KB
-
memory/2604-133-0x000000000A230000-0x000000000A231000-memory.dmpFilesize
4KB
-
memory/2604-134-0x000000000A8B0000-0x000000000A8B1000-memory.dmpFilesize
4KB
-
memory/2604-135-0x000000000AA80000-0x000000000AA81000-memory.dmpFilesize
4KB
-
memory/2604-136-0x000000000B960000-0x000000000B961000-memory.dmpFilesize
4KB