Analysis
-
max time kernel
157s -
max time network
168s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-01-2022 19:56
General
-
Target
ebb86bff468a3b482b724efc18a226b5.exe
-
Size
599KB
-
MD5
ebb86bff468a3b482b724efc18a226b5
-
SHA1
8e9d5f32146bb17b56c9cdd61023ace27982c44c
-
SHA256
677b8d2a671f9f2de4e110adaf6eb12f74c9feb15dcd9e6e6c126f668676cf57
-
SHA512
a49113e697b58d300b9404b5b5a046240b185c38242c78ac7f26891976915e92439ff8ec636af4c2bad5b0015574c21ea518db10918bc2cf843afdde713854c7
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebb86bff468a3b482b724efc18a226b5.exe"C:\Users\Admin\AppData\Local\Temp\ebb86bff468a3b482b724efc18a226b5.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4320-115-0x00000000024F0000-0x0000000002535000-memory.dmpFilesize
276KB
-
memory/4320-116-0x00000000002A0000-0x0000000000314000-memory.dmpFilesize
464KB
-
memory/4320-117-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/4320-118-0x0000000075E80000-0x0000000076042000-memory.dmpFilesize
1.8MB
-
memory/4320-119-0x0000000073C20000-0x0000000073D11000-memory.dmpFilesize
964KB
-
memory/4320-120-0x00000000002A0000-0x0000000000314000-memory.dmpFilesize
464KB
-
memory/4320-121-0x0000000071B10000-0x0000000071B90000-memory.dmpFilesize
512KB
-
memory/4320-122-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/4320-123-0x0000000076220000-0x00000000767A4000-memory.dmpFilesize
5.5MB
-
memory/4320-124-0x00000000747D0000-0x0000000075B18000-memory.dmpFilesize
19.3MB
-
memory/4320-125-0x00000000056C0000-0x0000000005CC6000-memory.dmpFilesize
6.0MB
-
memory/4320-126-0x0000000004F20000-0x0000000004F32000-memory.dmpFilesize
72KB
-
memory/4320-127-0x00000000050B0000-0x00000000051BA000-memory.dmpFilesize
1.0MB
-
memory/4320-128-0x0000000004F90000-0x0000000004FCE000-memory.dmpFilesize
248KB
-
memory/4320-129-0x0000000005390000-0x0000000005552000-memory.dmpFilesize
1.8MB
-
memory/4320-130-0x00000000052C0000-0x000000000530B000-memory.dmpFilesize
300KB
-
memory/4320-131-0x000000006D5B0000-0x000000006D5FB000-memory.dmpFilesize
300KB
-
memory/4320-132-0x0000000000BB0000-0x0000000000C26000-memory.dmpFilesize
472KB
-
memory/4320-133-0x0000000000CD0000-0x0000000000D62000-memory.dmpFilesize
584KB
-
memory/4320-134-0x00000000061D0000-0x00000000066CE000-memory.dmpFilesize
5.0MB
-
memory/4320-135-0x0000000000EB0000-0x0000000000ECE000-memory.dmpFilesize
120KB
-
memory/4320-136-0x0000000005FA0000-0x0000000006006000-memory.dmpFilesize
408KB
-
memory/4320-137-0x0000000006180000-0x00000000061D0000-memory.dmpFilesize
320KB
-
memory/4320-138-0x00000000079F0000-0x0000000007F1C000-memory.dmpFilesize
5.2MB