Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
08-11-2021 21:12
Static task
static1
General
-
Target
1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc.exe
-
Size
361KB
-
MD5
60c1c744ea8ef33fecca02fc1ed86d87
-
SHA1
8c63cb28883d6816e13a4a1da3915233687fb33f
-
SHA256
1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc
-
SHA512
082e8176ab8648e3427f2fcbc6c472ea47091e14c9062214cc4f3a6b33336e18a8c2c5d48cda0be855b1f9e4d9c06ea90584ee5b8b6381b5cb01f474642b2ea0
Malware Config
Extracted
redline
09.11
185.215.113.17:7700
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2728-118-0x0000000002650000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2728-120-0x00000000027F0000-0x000000000281C000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc.exepid process 2728 1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc.exedescription pid process Token: SeDebugPrivilege 2728 1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc.exe"C:\Users\Admin\AppData\Local\Temp\1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2728-116-0x00000000021D0000-0x0000000002209000-memory.dmpFilesize
228KB
-
memory/2728-115-0x0000000000470000-0x00000000005BA000-memory.dmpFilesize
1.3MB
-
memory/2728-117-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2728-118-0x0000000002650000-0x000000000267E000-memory.dmpFilesize
184KB
-
memory/2728-119-0x0000000004D70000-0x0000000004D71000-memory.dmpFilesize
4KB
-
memory/2728-120-0x00000000027F0000-0x000000000281C000-memory.dmpFilesize
176KB
-
memory/2728-122-0x0000000004D62000-0x0000000004D63000-memory.dmpFilesize
4KB
-
memory/2728-123-0x0000000004D63000-0x0000000004D64000-memory.dmpFilesize
4KB
-
memory/2728-121-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB
-
memory/2728-124-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/2728-125-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/2728-126-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/2728-127-0x00000000058C0000-0x00000000058C1000-memory.dmpFilesize
4KB
-
memory/2728-128-0x0000000004D64000-0x0000000004D66000-memory.dmpFilesize
8KB
-
memory/2728-129-0x0000000005900000-0x0000000005901000-memory.dmpFilesize
4KB
-
memory/2728-130-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/2728-131-0x0000000006000000-0x0000000006001000-memory.dmpFilesize
4KB
-
memory/2728-132-0x0000000005FC0000-0x0000000005FC1000-memory.dmpFilesize
4KB
-
memory/2728-133-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2728-134-0x00000000067C0000-0x00000000067C1000-memory.dmpFilesize
4KB
-
memory/2728-135-0x0000000006990000-0x0000000006991000-memory.dmpFilesize
4KB