Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-01-2022 01:41
Static task
static1
General
-
Target
e4e2de1f2cb31a67b7e0209d8144d2a8e72a5ae6182dafdd32aaca99a73d45ec.exe
-
Size
428KB
-
MD5
c50fd05c48e995824aa91c979d071f62
-
SHA1
f1ce385732e54ed8e8951093548b0c831fcab34d
-
SHA256
e4e2de1f2cb31a67b7e0209d8144d2a8e72a5ae6182dafdd32aaca99a73d45ec
-
SHA512
738275bcbdd56e0c1a82b50a7c064b72ea703609420e02523e25632f7953464d16f40e1397b54b19e2c69d7b82640fe1270a30bea0d59b8652c072abfa60be4a
Malware Config
Extracted
redline
RUZKI
185.215.113.29:34865
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2464-119-0x0000000002730000-0x0000000002764000-memory.dmp family_redline behavioral1/memory/2464-121-0x0000000005130000-0x0000000005162000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e4e2de1f2cb31a67b7e0209d8144d2a8e72a5ae6182dafdd32aaca99a73d45ec.exedescription pid process Token: SeDebugPrivilege 2464 e4e2de1f2cb31a67b7e0209d8144d2a8e72a5ae6182dafdd32aaca99a73d45ec.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2464-115-0x000000000061A000-0x0000000000646000-memory.dmpFilesize
176KB
-
memory/2464-117-0x0000000000400000-0x000000000057A000-memory.dmpFilesize
1.5MB
-
memory/2464-118-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/2464-116-0x00000000022B0000-0x00000000022E9000-memory.dmpFilesize
228KB
-
memory/2464-119-0x0000000002730000-0x0000000002764000-memory.dmpFilesize
208KB
-
memory/2464-120-0x0000000004C30000-0x000000000512E000-memory.dmpFilesize
5.0MB
-
memory/2464-121-0x0000000005130000-0x0000000005162000-memory.dmpFilesize
200KB
-
memory/2464-122-0x0000000005180000-0x0000000005786000-memory.dmpFilesize
6.0MB
-
memory/2464-123-0x0000000005810000-0x0000000005822000-memory.dmpFilesize
72KB
-
memory/2464-124-0x0000000005840000-0x000000000594A000-memory.dmpFilesize
1.0MB
-
memory/2464-125-0x0000000004C22000-0x0000000004C23000-memory.dmpFilesize
4KB
-
memory/2464-126-0x0000000004C23000-0x0000000004C24000-memory.dmpFilesize
4KB
-
memory/2464-127-0x0000000004C24000-0x0000000004C26000-memory.dmpFilesize
8KB
-
memory/2464-128-0x0000000005990000-0x00000000059CE000-memory.dmpFilesize
248KB
-
memory/2464-129-0x00000000059E0000-0x0000000005A2B000-memory.dmpFilesize
300KB
-
memory/2464-130-0x0000000005C80000-0x0000000005CF6000-memory.dmpFilesize
472KB
-
memory/2464-131-0x0000000005D70000-0x0000000005E02000-memory.dmpFilesize
584KB
-
memory/2464-132-0x0000000005D40000-0x0000000005D5E000-memory.dmpFilesize
120KB
-
memory/2464-133-0x0000000005F80000-0x0000000005FE6000-memory.dmpFilesize
408KB
-
memory/2464-134-0x00000000067D0000-0x0000000006992000-memory.dmpFilesize
1.8MB
-
memory/2464-135-0x00000000069B0000-0x0000000006EDC000-memory.dmpFilesize
5.2MB