ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c

General
Target

ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe

Filesize

380KB

Completed

27-01-2022 09:07

Score
10/10
MD5

3490d8c4ddf715b103e851fff227c3eb

SHA1

6e456f5f062801c8a4130a94c21e2126b12fe033

SHA256

ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c

Malware Config

Extracted

Family redline
Botnet noname
C2

185.215.113.29:20819

Signatures 5

Filter: none

Collection
Credential Access
Discovery
  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/3152-118-0x00000000024B0000-0x00000000024E4000-memory.dmpfamily_redline
    behavioral1/memory/3152-123-0x0000000004B10000-0x0000000004B42000-memory.dmpfamily_redline
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Suspicious use of AdjustPrivilegeToken
    ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3152ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe
Processes 1
  • C:\Users\Admin\AppData\Local\Temp\ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe
    "C:\Users\Admin\AppData\Local\Temp\ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe"
    Suspicious use of AdjustPrivilegeToken
    PID:3152
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/3152-116-0x0000000002090000-0x00000000020C9000-memory.dmp

                    • memory/3152-117-0x0000000000400000-0x0000000000465000-memory.dmp

                    • memory/3152-118-0x00000000024B0000-0x00000000024E4000-memory.dmp

                    • memory/3152-119-0x0000000004CD0000-0x00000000051CE000-memory.dmp

                    • memory/3152-120-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

                    • memory/3152-121-0x0000000004CC2000-0x0000000004CC3000-memory.dmp

                    • memory/3152-122-0x0000000004CC3000-0x0000000004CC4000-memory.dmp

                    • memory/3152-123-0x0000000004B10000-0x0000000004B42000-memory.dmp

                    • memory/3152-124-0x00000000051D0000-0x00000000057D6000-memory.dmp

                    • memory/3152-125-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

                    • memory/3152-126-0x00000000057E0000-0x00000000058EA000-memory.dmp

                    • memory/3152-127-0x0000000004CC4000-0x0000000004CC6000-memory.dmp

                    • memory/3152-128-0x0000000004C50000-0x0000000004C8E000-memory.dmp

                    • memory/3152-129-0x00000000058F0000-0x000000000593B000-memory.dmp

                    • memory/3152-130-0x0000000005B70000-0x0000000005BE6000-memory.dmp

                    • memory/3152-131-0x0000000005C60000-0x0000000005CF2000-memory.dmp

                    • memory/3152-132-0x0000000005C30000-0x0000000005C4E000-memory.dmp

                    • memory/3152-133-0x0000000005E60000-0x0000000005EC6000-memory.dmp

                    • memory/3152-134-0x00000000065A0000-0x0000000006762000-memory.dmp

                    • memory/3152-135-0x0000000006770000-0x0000000006C9C000-memory.dmp