Analysis
-
max time kernel
109s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
23-10-2021 06:00
Static task
static1
Behavioral task
behavioral1
Sample
35968aadf68d8058219fea9aa038ae2b0df8466aeaa1ed970b2488300444caca.exe
Resource
win10-en-20211014
General
-
Target
35968aadf68d8058219fea9aa038ae2b0df8466aeaa1ed970b2488300444caca.exe
-
Size
442KB
-
MD5
318aee78bb102ccdfd53ab9174cf8da7
-
SHA1
743a858f375946b8929d2be5bfe6ea8316c1f9fd
-
SHA256
35968aadf68d8058219fea9aa038ae2b0df8466aeaa1ed970b2488300444caca
-
SHA512
6be1e9bf17ac305951abb8896d4464c255fe47c381f92ab615b34bef0e01e5c920d0f9c401285e4f0c61640be840b947d230d2706b5eed20c0a3e4455bb35fd1
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2108-118-0x00000000029B0000-0x00000000029DD000-memory.dmp family_redline behavioral1/memory/2108-123-0x0000000004F30000-0x0000000004F5B000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
35968aadf68d8058219fea9aa038ae2b0df8466aeaa1ed970b2488300444caca.exepid process 2108 35968aadf68d8058219fea9aa038ae2b0df8466aeaa1ed970b2488300444caca.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
35968aadf68d8058219fea9aa038ae2b0df8466aeaa1ed970b2488300444caca.exedescription pid process Token: SeDebugPrivilege 2108 35968aadf68d8058219fea9aa038ae2b0df8466aeaa1ed970b2488300444caca.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35968aadf68d8058219fea9aa038ae2b0df8466aeaa1ed970b2488300444caca.exe"C:\Users\Admin\AppData\Local\Temp\35968aadf68d8058219fea9aa038ae2b0df8466aeaa1ed970b2488300444caca.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2108-116-0x0000000000E20000-0x0000000000E64000-memory.dmpFilesize
272KB
-
memory/2108-117-0x0000000000400000-0x000000000089E000-memory.dmpFilesize
4.6MB
-
memory/2108-118-0x00000000029B0000-0x00000000029DD000-memory.dmpFilesize
180KB
-
memory/2108-120-0x0000000004FE2000-0x0000000004FE3000-memory.dmpFilesize
4KB
-
memory/2108-119-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/2108-121-0x0000000004FE3000-0x0000000004FE4000-memory.dmpFilesize
4KB
-
memory/2108-122-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/2108-123-0x0000000004F30000-0x0000000004F5B000-memory.dmpFilesize
172KB
-
memory/2108-124-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/2108-125-0x0000000005B10000-0x0000000005B11000-memory.dmpFilesize
4KB
-
memory/2108-126-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/2108-127-0x0000000004FE4000-0x0000000004FE6000-memory.dmpFilesize
8KB
-
memory/2108-128-0x0000000005C50000-0x0000000005C51000-memory.dmpFilesize
4KB
-
memory/2108-129-0x0000000005CD0000-0x0000000005CD1000-memory.dmpFilesize
4KB
-
memory/2108-130-0x0000000005F60000-0x0000000005F61000-memory.dmpFilesize
4KB
-
memory/2108-131-0x0000000006650000-0x0000000006651000-memory.dmpFilesize
4KB
-
memory/2108-132-0x0000000006750000-0x0000000006751000-memory.dmpFilesize
4KB
-
memory/2108-133-0x0000000006710000-0x0000000006711000-memory.dmpFilesize
4KB
-
memory/2108-134-0x0000000006980000-0x0000000006981000-memory.dmpFilesize
4KB
-
memory/2108-135-0x0000000006B60000-0x0000000006B61000-memory.dmpFilesize
4KB
-
memory/2108-136-0x00000000091A0000-0x00000000091A1000-memory.dmpFilesize
4KB