Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
14-12-2021 13:21
General
-
Target
tmp/systemg.exe
-
Size
1.2MB
-
MD5
78b83d8da9273d6d39a4d419296df1ef
-
SHA1
bdeb862c9dfd8c326ea6b52c340bdec35725f325
-
SHA256
ac30759bb6db02424de46e97faae66924a81b4972893fce91f81b6f3232936c3
-
SHA512
debf0a707f13bb1dac5ebb7ba3eecbc452c38cdb6445a156ad8b89a500bfa62254a972b78442867e5df32aebcae794d0cc72495c6380810a67564d4168e8b592
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
13.12_BUILD_1
C2
45.9.20.221:2865
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp\systemg.exe"C:\Users\Admin\AppData\Local\Temp\tmp\systemg.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp\systemg.exe"C:\Users\Admin\AppData\Local\Temp\tmp\systemg.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2708-115-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2708-116-0x000000000040CD2F-mapping.dmp
-
memory/2708-117-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2708-118-0x0000000002590000-0x00000000025BE000-memory.dmpFilesize
184KB
-
memory/2708-119-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB
-
memory/2708-120-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/2708-122-0x0000000004AD3000-0x0000000004AD4000-memory.dmpFilesize
4KB
-
memory/2708-121-0x0000000004AD2000-0x0000000004AD3000-memory.dmpFilesize
4KB
-
memory/2708-123-0x0000000002600000-0x000000000262D000-memory.dmpFilesize
180KB
-
memory/2708-124-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/2708-125-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/2708-126-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/2708-127-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/2708-128-0x0000000004AD4000-0x0000000004AD6000-memory.dmpFilesize
8KB
-
memory/2708-129-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/2708-130-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/2708-131-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/2708-132-0x0000000006000000-0x0000000006001000-memory.dmpFilesize
4KB
-
memory/2708-133-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/2708-134-0x0000000006FD0000-0x0000000006FD1000-memory.dmpFilesize
4KB
-
memory/2708-135-0x00000000071A0000-0x00000000071A1000-memory.dmpFilesize
4KB