ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c

max time kernel77s
max time network147s
platformwindows10_x64
resourcewin10-en-20211208
submitted27-01-2022 09:04

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe

Filesize

380KB

Completed

27-01-2022 09:07

Score

10^/10

MD5

3490d8c4ddf715b103e851fff227c3eb

SHA1

6e456f5f062801c8a4130a94c21e2126b12fe033

SHA256

ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c

Extracted

Family	redline
Botnet	noname
C2	185.215.113.29:20819 185.215.113.29:20819

Collection

Credential Access

Discovery

RedLine

Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.

Tags

infostealer redline

RedLine Payload

Reported IOCs

resource	yara_rule
behavioral1/memory/3152-118-0x00000000024B0000-0x00000000024E4000-memory.dmp	family_redline
behavioral1/memory/3152-123-0x0000000004B10000-0x0000000004B42000-memory.dmp	family_redline

Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Suspicious use of AdjustPrivilegeToken
ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 3152 ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe

description	pid	process
Token: SeDebugPrivilege	3152	ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe

C:\Users\Admin\AppData\Local\Temp\ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe

"C:\Users\Admin\AppData\Local\Temp\ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe"

Suspicious use of AdjustPrivilegeToken

PID:3152

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Query Registry

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/3152-116-0x0000000002090000-0x00000000020C9000-memory.dmp

Download
memory/3152-117-0x0000000000400000-0x0000000000465000-memory.dmp

Download
memory/3152-118-0x00000000024B0000-0x00000000024E4000-memory.dmp

Download
memory/3152-119-0x0000000004CD0000-0x00000000051CE000-memory.dmp

Download
memory/3152-120-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Download
memory/3152-121-0x0000000004CC2000-0x0000000004CC3000-memory.dmp

Download
memory/3152-122-0x0000000004CC3000-0x0000000004CC4000-memory.dmp

Download
memory/3152-123-0x0000000004B10000-0x0000000004B42000-memory.dmp

Download
memory/3152-124-0x00000000051D0000-0x00000000057D6000-memory.dmp

Download
memory/3152-125-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

Download
memory/3152-126-0x00000000057E0000-0x00000000058EA000-memory.dmp

Download
memory/3152-127-0x0000000004CC4000-0x0000000004CC6000-memory.dmp

Download
memory/3152-128-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Download
memory/3152-129-0x00000000058F0000-0x000000000593B000-memory.dmp

Download
memory/3152-130-0x0000000005B70000-0x0000000005BE6000-memory.dmp

Download
memory/3152-131-0x0000000005C60000-0x0000000005CF2000-memory.dmp

Download
memory/3152-132-0x0000000005C30000-0x0000000005C4E000-memory.dmp

Download
memory/3152-133-0x0000000005E60000-0x0000000005EC6000-memory.dmp

Download
memory/3152-134-0x00000000065A0000-0x0000000006762000-memory.dmp

Download
memory/3152-135-0x0000000006770000-0x0000000006C9C000-memory.dmp

Download

ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c

Extracted

Filter: none

Description

Tags

Reported IOCs

Description

Tags

TTPs

Description

Tags

TTPs

Reported IOCs

Title