Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
14-12-2021 13:21
Static task
static1
Behavioral task
behavioral1
Sample
tmp/systemg.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
tmp/systemg.exe
Resource
win10-en-20211208
General
-
Target
tmp/systemg.exe
-
Size
1.2MB
-
MD5
78b83d8da9273d6d39a4d419296df1ef
-
SHA1
bdeb862c9dfd8c326ea6b52c340bdec35725f325
-
SHA256
ac30759bb6db02424de46e97faae66924a81b4972893fce91f81b6f3232936c3
-
SHA512
debf0a707f13bb1dac5ebb7ba3eecbc452c38cdb6445a156ad8b89a500bfa62254a972b78442867e5df32aebcae794d0cc72495c6380810a67564d4168e8b592
Malware Config
Extracted
redline
13.12_BUILD_1
45.9.20.221:2865
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2708-118-0x0000000002590000-0x00000000025BE000-memory.dmp family_redline behavioral2/memory/2708-123-0x0000000002600000-0x000000000262D000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
systemg.exedescription pid process target process PID 2508 set thread context of 2708 2508 systemg.exe systemg.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
systemg.exepid process 2708 systemg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
systemg.exedescription pid process Token: SeDebugPrivilege 2708 systemg.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
systemg.exedescription pid process target process PID 2508 wrote to memory of 2708 2508 systemg.exe systemg.exe PID 2508 wrote to memory of 2708 2508 systemg.exe systemg.exe PID 2508 wrote to memory of 2708 2508 systemg.exe systemg.exe PID 2508 wrote to memory of 2708 2508 systemg.exe systemg.exe PID 2508 wrote to memory of 2708 2508 systemg.exe systemg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp\systemg.exe"C:\Users\Admin\AppData\Local\Temp\tmp\systemg.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp\systemg.exe"C:\Users\Admin\AppData\Local\Temp\tmp\systemg.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2708-115-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2708-116-0x000000000040CD2F-mapping.dmp
-
memory/2708-117-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2708-118-0x0000000002590000-0x00000000025BE000-memory.dmpFilesize
184KB
-
memory/2708-119-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB
-
memory/2708-120-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/2708-122-0x0000000004AD3000-0x0000000004AD4000-memory.dmpFilesize
4KB
-
memory/2708-121-0x0000000004AD2000-0x0000000004AD3000-memory.dmpFilesize
4KB
-
memory/2708-123-0x0000000002600000-0x000000000262D000-memory.dmpFilesize
180KB
-
memory/2708-124-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/2708-125-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/2708-126-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/2708-127-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/2708-128-0x0000000004AD4000-0x0000000004AD6000-memory.dmpFilesize
8KB
-
memory/2708-129-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/2708-130-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/2708-131-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/2708-132-0x0000000006000000-0x0000000006001000-memory.dmpFilesize
4KB
-
memory/2708-133-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/2708-134-0x0000000006FD0000-0x0000000006FD1000-memory.dmpFilesize
4KB
-
memory/2708-135-0x00000000071A0000-0x00000000071A1000-memory.dmpFilesize
4KB