Overview

overview

10

Static

static

f8ee63dd73...6f.exe

windows7_x64

10

f8ee63dd73...6f.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    26-01-2022 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8ee63dd7398b1c90f556aef3ca8df6f.exe

  • Size

    444KB

  • MD5

    f8ee63dd7398b1c90f556aef3ca8df6f

  • SHA1

    1ca64687a0cdc8e9ef8ecba80751c90d9ad43542

  • SHA256

    cde13ee20be6ac38144d167a8b211e8f08832f608094ab92c41d7794dfb6c063

  • SHA512

    8f0cd9d710e252d96049216218fe5941a8d8d8a6a5b950851e8ceecb3c888bbdd6aade607864ae9a8f2b996830281fb48f47907674daf591f44193c2658aef3b

Score
10/10
redlinenonamediscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

noname

C2

185.215.113.29:20819

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8ee63dd7398b1c90f556aef3ca8df6f.exe
    "C:\Users\Admin\AppData\Local\Temp\f8ee63dd7398b1c90f556aef3ca8df6f.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/960-54-0x0000000000560000-0x00000000005A8000-memory.dmp
    Filesize

    288KB

    Download
  • memory/960-55-0x0000000000220000-0x0000000000259000-memory.dmp
    Filesize

    228KB

    Download
  • memory/960-56-0x0000000000400000-0x0000000000499000-memory.dmp
    Filesize

    612KB

    Download
  • memory/960-57-0x0000000001F90000-0x0000000001FC4000-memory.dmp
    Filesize

    208KB

    Download
  • memory/960-58-0x0000000001FC0000-0x0000000001FF2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/960-59-0x0000000004991000-0x0000000004992000-memory.dmp
    Filesize

    4KB

    Download
  • memory/960-60-0x0000000004992000-0x0000000004993000-memory.dmp
    Filesize

    4KB

    Download
  • memory/960-61-0x0000000004993000-0x0000000004994000-memory.dmp
    Filesize

    4KB

    Download
  • memory/960-62-0x00000000762C1000-0x00000000762C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/960-63-0x0000000004994000-0x0000000004996000-memory.dmp
    Filesize

    8KB

    Download