Overview

overview

10

Static

static

tmp/21b1fb...34.exe

windows7_x64

10

tmp/21b1fb...34.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    18-12-2021 17:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp/21b1fb08-2827-4c3a-aaf9-a118f8209a34_334.exe

  • Size

    787KB

  • MD5

    a048419bbecd8baf3e9620c51a19dcb0

  • SHA1

    468c3e429b559aebb2046a8f3367ea4e52e4d30a

  • SHA256

    bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b

  • SHA512

    32facaca25a760af3ecdfabf561e50f8631a079ea7411484bd7565c64ea1f0b3f87060c05ff1d8535d77b726658f62ae098d622e7318b7d76929f67cc268f7a6

Score
10/10
redlinediscoveryinfostealerspywarestealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp\21b1fb08-2827-4c3a-aaf9-a118f8209a34_334.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp\21b1fb08-2827-4c3a-aaf9-a118f8209a34_334.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3280-116-0x0000000001040000-0x00000000010E5000-memory.dmp
    Filesize

    660KB

    Download
  • memory/3280-115-0x0000000001500000-0x000000000164A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3280-117-0x0000000001040000-0x00000000010E5000-memory.dmp
    Filesize

    660KB

    Download
  • memory/3280-118-0x00000000014C0000-0x00000000014C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3280-119-0x0000000076350000-0x0000000076512000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3280-120-0x0000000077190000-0x0000000077281000-memory.dmp
    Filesize

    964KB

    Download
  • memory/3280-121-0x0000000001040000-0x0000000001041000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3280-123-0x00000000723C0000-0x0000000072440000-memory.dmp
    Filesize

    512KB

    Download
  • memory/3280-124-0x0000000006220000-0x0000000006221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3280-125-0x0000000005B50000-0x0000000005B51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3280-126-0x0000000005D20000-0x0000000005D21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3280-127-0x0000000005C00000-0x0000000005C01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3280-128-0x0000000005BB0000-0x0000000005BB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3280-129-0x0000000076800000-0x0000000076D84000-memory.dmp
    Filesize

    5.5MB

    Download
  • memory/3280-130-0x00000000742C0000-0x0000000075608000-memory.dmp
    Filesize

    19.3MB

    Download
  • memory/3280-131-0x0000000005C10000-0x0000000005C11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3280-132-0x0000000070610000-0x000000007065B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3280-133-0x0000000005EF0000-0x0000000005EF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3280-134-0x0000000006F30000-0x0000000006F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3280-135-0x0000000006AB0000-0x0000000006AB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3280-136-0x0000000006BD0000-0x0000000006BD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3280-137-0x0000000006BB0000-0x0000000006BB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3280-138-0x0000000007700000-0x0000000007701000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3280-139-0x0000000007E00000-0x0000000007E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3280-140-0x00000000078D0000-0x00000000078D1000-memory.dmp
    Filesize

    4KB

    Download