Analysis
-
max time kernel
109s -
max time network
138s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
22-10-2021 14:30
Static task
static1
Behavioral task
behavioral1
Sample
8840d8c54b58cc29c57916919906a81fff6bca7bede7c6d5b08a363359ff3582.exe
Resource
win10-en-20211014
General
-
Target
8840d8c54b58cc29c57916919906a81fff6bca7bede7c6d5b08a363359ff3582.exe
-
Size
452KB
-
MD5
d08c7505d9deda3037398a2bddec6e49
-
SHA1
c35417022f575351d7b634aaa297d2e456887a7f
-
SHA256
8840d8c54b58cc29c57916919906a81fff6bca7bede7c6d5b08a363359ff3582
-
SHA512
94e88d77a383f657233d3777dcb313cd23f10d4042aa3472c92c0082a706098235f29722e2262a4f3e7ec48cdaa796558d611ba8607340208aa1296162280e9e
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1036-118-0x0000000002710000-0x000000000273D000-memory.dmp family_redline behavioral1/memory/1036-120-0x0000000002AE0000-0x0000000002B0B000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
8840d8c54b58cc29c57916919906a81fff6bca7bede7c6d5b08a363359ff3582.exepid process 1036 8840d8c54b58cc29c57916919906a81fff6bca7bede7c6d5b08a363359ff3582.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8840d8c54b58cc29c57916919906a81fff6bca7bede7c6d5b08a363359ff3582.exedescription pid process Token: SeDebugPrivilege 1036 8840d8c54b58cc29c57916919906a81fff6bca7bede7c6d5b08a363359ff3582.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8840d8c54b58cc29c57916919906a81fff6bca7bede7c6d5b08a363359ff3582.exe"C:\Users\Admin\AppData\Local\Temp\8840d8c54b58cc29c57916919906a81fff6bca7bede7c6d5b08a363359ff3582.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1036-115-0x0000000000B06000-0x0000000000B32000-memory.dmpFilesize
176KB
-
memory/1036-116-0x0000000000A10000-0x0000000000A54000-memory.dmpFilesize
272KB
-
memory/1036-117-0x0000000000400000-0x00000000008A0000-memory.dmpFilesize
4.6MB
-
memory/1036-118-0x0000000002710000-0x000000000273D000-memory.dmpFilesize
180KB
-
memory/1036-119-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/1036-120-0x0000000002AE0000-0x0000000002B0B000-memory.dmpFilesize
172KB
-
memory/1036-121-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/1036-123-0x0000000005222000-0x0000000005223000-memory.dmpFilesize
4KB
-
memory/1036-122-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/1036-124-0x0000000005223000-0x0000000005224000-memory.dmpFilesize
4KB
-
memory/1036-125-0x0000000002CA0000-0x0000000002CA1000-memory.dmpFilesize
4KB
-
memory/1036-126-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/1036-127-0x0000000002CD0000-0x0000000002CD1000-memory.dmpFilesize
4KB
-
memory/1036-128-0x0000000005224000-0x0000000005226000-memory.dmpFilesize
8KB
-
memory/1036-129-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/1036-130-0x0000000005F60000-0x0000000005F61000-memory.dmpFilesize
4KB
-
memory/1036-131-0x0000000005FE0000-0x0000000005FE1000-memory.dmpFilesize
4KB
-
memory/1036-132-0x00000000060D0000-0x00000000060D1000-memory.dmpFilesize
4KB
-
memory/1036-133-0x0000000006260000-0x0000000006261000-memory.dmpFilesize
4KB
-
memory/1036-134-0x0000000007650000-0x0000000007651000-memory.dmpFilesize
4KB
-
memory/1036-135-0x0000000006AC0000-0x0000000006AC1000-memory.dmpFilesize
4KB
-
memory/1036-136-0x00000000077E0000-0x00000000077E1000-memory.dmpFilesize
4KB