9511dc0748924375cf62e19e57c721e9965bbee4d0b509db382a492d5873db29

max time kernel121s
max time network139s
platformwindows10_x64
resourcewin10-en-20211208
submitted27-01-2022 09:53

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

9511dc0748924375cf62e19e57c721e9965bbee4d0b509db382a492d5873db29.exe

Filesize

328KB

Completed

27-01-2022 09:56

Score

10^/10

MD5

3f5f3af3b5f8d722547cd9b30960e0ba

SHA1

47d78e2a46c341c78d3dd81cae7934809e7b8014

SHA256

9511dc0748924375cf62e19e57c721e9965bbee4d0b509db382a492d5873db29

Extracted

Family	redline
Botnet	ruzkiKAKOYTO
C2	185.215.113.29:20819 185.215.113.29:20819

Collection

Credential Access

Discovery

RedLine

Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.

Tags

infostealer redline

RedLine Payload

Reported IOCs

resource	yara_rule
behavioral1/memory/3484-118-0x0000000002420000-0x0000000002454000-memory.dmp	family_redline
behavioral1/memory/3484-120-0x00000000025A0000-0x00000000025D2000-memory.dmp	family_redline

Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Suspicious use of AdjustPrivilegeToken
9511dc0748924375cf62e19e57c721e9965bbee4d0b509db382a492d5873db29.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 3484 9511dc0748924375cf62e19e57c721e9965bbee4d0b509db382a492d5873db29.exe

description	pid	process
Token: SeDebugPrivilege	3484	9511dc0748924375cf62e19e57c721e9965bbee4d0b509db382a492d5873db29.exe

C:\Users\Admin\AppData\Local\Temp\9511dc0748924375cf62e19e57c721e9965bbee4d0b509db382a492d5873db29.exe

"C:\Users\Admin\AppData\Local\Temp\9511dc0748924375cf62e19e57c721e9965bbee4d0b509db382a492d5873db29.exe"

Suspicious use of AdjustPrivilegeToken

PID:3484

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Query Registry

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/3484-116-0x00000000021A0000-0x00000000021D9000-memory.dmp

Download
memory/3484-117-0x0000000000400000-0x0000000000459000-memory.dmp

Download
memory/3484-118-0x0000000002420000-0x0000000002454000-memory.dmp

Download
memory/3484-119-0x0000000004C50000-0x000000000514E000-memory.dmp

Download
memory/3484-120-0x00000000025A0000-0x00000000025D2000-memory.dmp

Download
memory/3484-121-0x0000000004C40000-0x0000000004C41000-memory.dmp

Download
memory/3484-122-0x0000000004C42000-0x0000000004C43000-memory.dmp

Download
memory/3484-123-0x0000000004C43000-0x0000000004C44000-memory.dmp

Download
memory/3484-124-0x0000000005150000-0x0000000005756000-memory.dmp

Download
memory/3484-125-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Download
memory/3484-126-0x0000000005760000-0x000000000586A000-memory.dmp

Download
memory/3484-127-0x0000000005870000-0x00000000058AE000-memory.dmp

Download
memory/3484-128-0x0000000004C44000-0x0000000004C46000-memory.dmp

Download
memory/3484-129-0x00000000059C0000-0x0000000005A0B000-memory.dmp

Download
memory/3484-130-0x0000000005B60000-0x0000000005BD6000-memory.dmp

Download
memory/3484-131-0x0000000005C50000-0x0000000005CE2000-memory.dmp

Download
memory/3484-132-0x0000000005C20000-0x0000000005C3E000-memory.dmp

Download
memory/3484-133-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Download
memory/3484-134-0x0000000006590000-0x0000000006752000-memory.dmp

Download
memory/3484-135-0x0000000006760000-0x0000000006C8C000-memory.dmp

Download

9511dc0748924375cf62e19e57c721e9965bbee4d0b509db382a492d5873db29

Extracted

Filter: none

Description

Tags

Reported IOCs

Description

Tags

TTPs

Description

Tags

TTPs

Reported IOCs

Title