ae01f2bc706a36067098f0fb91ba00fe.exe

General
Target

ae01f2bc706a36067098f0fb91ba00fe.exe

Filesize

285KB

Completed

25-11-2021 16:47

Score
10/10
MD5

ae01f2bc706a36067098f0fb91ba00fe

SHA1

59ce206847ccac4240c238bbccfd5d8df994d3ec

SHA256

15e53ff78ca402b6c76e10ce878d62a6c5eff3e29be5af39fd68c37470ba9c29

Malware Config

Extracted

Family redline
Botnet Updbdate
C2

193.56.146.64:65441
Signatures 6

Filter: none

Collection
Credential Access
Discovery
  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1148-58-0x0000000000690000-0x00000000006BE000-memory.dmpfamily_redline
    behavioral1/memory/1148-59-0x00000000006F0000-0x000000000071C000-memory.dmpfamily_redline
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Suspicious use of AdjustPrivilegeToken
    ae01f2bc706a36067098f0fb91ba00fe.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1148ae01f2bc706a36067098f0fb91ba00fe.exe
Processes 1
  • C:\Users\Admin\AppData\Local\Temp\ae01f2bc706a36067098f0fb91ba00fe.exe
    "C:\Users\Admin\AppData\Local\Temp\ae01f2bc706a36067098f0fb91ba00fe.exe"
    Suspicious use of AdjustPrivilegeToken
    PID:1148
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
    Defense Evasion
      Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads

                    • memory/1148-57-0x0000000000400000-0x000000000044F000-memory.dmp

                      Download

                    • memory/1148-56-0x00000000002F0000-0x0000000000329000-memory.dmp

                      Download

                    • memory/1148-55-0x0000000000220000-0x000000000024B000-memory.dmp

                      Download

                    • memory/1148-58-0x0000000000690000-0x00000000006BE000-memory.dmp

                      Download

                    • memory/1148-59-0x00000000006F0000-0x000000000071C000-memory.dmp

                      Download

                    • memory/1148-61-0x00000000025C2000-0x00000000025C3000-memory.dmp

                      Download

                    • memory/1148-60-0x00000000025C1000-0x00000000025C2000-memory.dmp

                      Download

                    • memory/1148-62-0x00000000025C3000-0x00000000025C4000-memory.dmp

                      Download

                    • memory/1148-63-0x00000000025C4000-0x00000000025C6000-memory.dmp

                      Download