Analysis
-
max time kernel
1787s -
max time network
1826s -
platform
windows7_x64 -
resource
win7-ja-20210920 -
submitted
22-10-2021 14:39
Static task
static1
Behavioral task
behavioral1
Sample
Fri05f84fa77402bf.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
Fri05f84fa77402bf.exe
Resource
win7-en-20211014
Behavioral task
behavioral3
Sample
Fri05f84fa77402bf.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
Fri05f84fa77402bf.exe
Resource
win11
Behavioral task
behavioral5
Sample
Fri05f84fa77402bf.exe
Resource
win10-ja-20210920
Behavioral task
behavioral6
Sample
Fri05f84fa77402bf.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
Fri05f84fa77402bf.exe
Resource
win10-de-20211014
General
-
Target
Fri05f84fa77402bf.exe
-
Size
394KB
-
MD5
8e0abf31bbb7005be2893af10fcceaa9
-
SHA1
a48259c2346d7aed8cf14566d066695a8c2db55c
-
SHA256
2df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
-
SHA512
ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970
Malware Config
Extracted
redline
ChrisNEW
194.104.136.5:46013
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2032-59-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2032-58-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2032-60-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2032-61-0x0000000000418542-mapping.dmp family_redline behavioral1/memory/2032-62-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Fri05f84fa77402bf.exedescription pid process target process PID 1692 set thread context of 2032 1692 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Fri05f84fa77402bf.exedescription pid process Token: SeDebugPrivilege 2032 Fri05f84fa77402bf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Fri05f84fa77402bf.exetaskeng.exedescription pid process target process PID 1692 wrote to memory of 2032 1692 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 1692 wrote to memory of 2032 1692 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 1692 wrote to memory of 2032 1692 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 1692 wrote to memory of 2032 1692 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 1692 wrote to memory of 2032 1692 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 1692 wrote to memory of 2032 1692 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 1692 wrote to memory of 2032 1692 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 1692 wrote to memory of 2032 1692 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 1692 wrote to memory of 2032 1692 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 596 wrote to memory of 1544 596 taskeng.exe default-browser-agent.exe PID 596 wrote to memory of 1544 596 taskeng.exe default-browser-agent.exe PID 596 wrote to memory of 1544 596 taskeng.exe default-browser-agent.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe"C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exeC:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {3F44E322-1390-4520-9382-68D26B9FBE1A} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {625B8B4A-556E-4790-A99D-6059DB65EB02} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {85840366-8E3E-497B-916D-525A03B11EA0} S-1-5-18:NT AUTHORITY\System:Service:1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1544-65-0x0000000000000000-mapping.dmp
-
memory/1692-53-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/1692-55-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/2032-57-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2032-56-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2032-59-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2032-58-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2032-60-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2032-61-0x0000000000418542-mapping.dmp
-
memory/2032-62-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2032-64-0x00000000047D0000-0x00000000047D1000-memory.dmpFilesize
4KB