Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
27-11-2021 08:50
Static task
static1
General
-
Target
2f9090ce3078e6954bba399926a9e735358626101188ac0d9994bff8161a4da2.exe
-
Size
423KB
-
MD5
5e1f1ed1b91c848a21479606acb2615a
-
SHA1
457c1ff71520637e8412def5b116e646f7bc52b5
-
SHA256
2f9090ce3078e6954bba399926a9e735358626101188ac0d9994bff8161a4da2
-
SHA512
a959d23f46e03ed2ebf951c37902db0bf173de1dd8a66095599ddedb7c01b3b505fdb67990f62197ef07572764b6a0fbafbe8ae695a4ad685e5b21b8a5d4a855
Malware Config
Extracted
redline
Pubdate
193.56.146.64:65441
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2104-121-0x0000000004F70000-0x0000000004F9E000-memory.dmp family_redline behavioral1/memory/2104-126-0x0000000005260000-0x000000000528C000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2f9090ce3078e6954bba399926a9e735358626101188ac0d9994bff8161a4da2.exedescription pid process Token: SeDebugPrivilege 2104 2f9090ce3078e6954bba399926a9e735358626101188ac0d9994bff8161a4da2.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2104-120-0x0000000000400000-0x0000000003245000-memory.dmpFilesize
46.3MB
-
memory/2104-119-0x00000000032A0000-0x000000000334E000-memory.dmpFilesize
696KB
-
memory/2104-121-0x0000000004F70000-0x0000000004F9E000-memory.dmpFilesize
184KB
-
memory/2104-124-0x0000000005292000-0x0000000005293000-memory.dmpFilesize
4KB
-
memory/2104-123-0x00000000077F0000-0x00000000077F1000-memory.dmpFilesize
4KB
-
memory/2104-122-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/2104-125-0x0000000005293000-0x0000000005294000-memory.dmpFilesize
4KB
-
memory/2104-126-0x0000000005260000-0x000000000528C000-memory.dmpFilesize
176KB
-
memory/2104-127-0x0000000007D00000-0x0000000007D01000-memory.dmpFilesize
4KB
-
memory/2104-128-0x00000000083A0000-0x00000000083A1000-memory.dmpFilesize
4KB
-
memory/2104-129-0x00000000083D0000-0x00000000083D1000-memory.dmpFilesize
4KB
-
memory/2104-130-0x00000000084E0000-0x00000000084E1000-memory.dmpFilesize
4KB
-
memory/2104-131-0x0000000008570000-0x0000000008571000-memory.dmpFilesize
4KB
-
memory/2104-132-0x0000000005294000-0x0000000005296000-memory.dmpFilesize
8KB
-
memory/2104-133-0x0000000008800000-0x0000000008801000-memory.dmpFilesize
4KB
-
memory/2104-134-0x0000000008880000-0x0000000008881000-memory.dmpFilesize
4KB
-
memory/2104-135-0x0000000008A60000-0x0000000008A61000-memory.dmpFilesize
4KB
-
memory/2104-136-0x0000000008B20000-0x0000000008B21000-memory.dmpFilesize
4KB
-
memory/2104-137-0x0000000009220000-0x0000000009221000-memory.dmpFilesize
4KB
-
memory/2104-138-0x0000000009400000-0x0000000009401000-memory.dmpFilesize
4KB