Analysis
-
max time kernel
55s -
max time network
45s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
10-02-2022 10:43
Static task
static1
General
-
Target
ea6d62a189240369f269db2d7210cf37a727eef30cda7e091260ad6e81d555bc.exe
-
Size
340KB
-
MD5
6f93da45cd0ade7b46544a6a13a14946
-
SHA1
e7a0399716c49117ba96835a23e6b7b9193b6b87
-
SHA256
ea6d62a189240369f269db2d7210cf37a727eef30cda7e091260ad6e81d555bc
-
SHA512
8098bf652c42b8a4524ba42d9cc2e4c76288b239510c9abf692fa0a8288f24edfa046fcbffc1e8246e1b377f4d56f89bb2f0f78f033a1110a10fb7c71662c309
Malware Config
Extracted
redline
noname
185.215.113.29:20819
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1732-120-0x0000000004BD0000-0x0000000004C04000-memory.dmp family_redline behavioral1/memory/1732-122-0x0000000004D80000-0x0000000004DB2000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ea6d62a189240369f269db2d7210cf37a727eef30cda7e091260ad6e81d555bc.exedescription pid process Token: SeDebugPrivilege 1732 ea6d62a189240369f269db2d7210cf37a727eef30cda7e091260ad6e81d555bc.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1732-115-0x0000000002D90000-0x0000000002DBB000-memory.dmpFilesize
172KB
-
memory/1732-116-0x0000000004880000-0x00000000048B9000-memory.dmpFilesize
228KB
-
memory/1732-117-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1732-118-0x0000000073CCE000-0x0000000073CCF000-memory.dmpFilesize
4KB
-
memory/1732-119-0x0000000007460000-0x0000000007461000-memory.dmpFilesize
4KB
-
memory/1732-120-0x0000000004BD0000-0x0000000004C04000-memory.dmpFilesize
208KB
-
memory/1732-121-0x0000000007470000-0x000000000796E000-memory.dmpFilesize
5.0MB
-
memory/1732-122-0x0000000004D80000-0x0000000004DB2000-memory.dmpFilesize
200KB
-
memory/1732-123-0x0000000007970000-0x0000000007F76000-memory.dmpFilesize
6.0MB
-
memory/1732-124-0x0000000007462000-0x0000000007463000-memory.dmpFilesize
4KB
-
memory/1732-125-0x0000000007463000-0x0000000007464000-memory.dmpFilesize
4KB
-
memory/1732-126-0x00000000072A0000-0x00000000072B2000-memory.dmpFilesize
72KB
-
memory/1732-127-0x00000000072D0000-0x00000000073DA000-memory.dmpFilesize
1.0MB
-
memory/1732-128-0x0000000007420000-0x000000000745E000-memory.dmpFilesize
248KB
-
memory/1732-129-0x0000000007464000-0x0000000007466000-memory.dmpFilesize
8KB
-
memory/1732-130-0x0000000007F90000-0x0000000007FDB000-memory.dmpFilesize
300KB
-
memory/1732-131-0x0000000008230000-0x00000000082A6000-memory.dmpFilesize
472KB
-
memory/1732-132-0x0000000008320000-0x00000000083B2000-memory.dmpFilesize
584KB
-
memory/1732-133-0x00000000082F0000-0x000000000830E000-memory.dmpFilesize
120KB
-
memory/1732-134-0x0000000008520000-0x0000000008586000-memory.dmpFilesize
408KB
-
memory/1732-135-0x0000000008C40000-0x0000000008E02000-memory.dmpFilesize
1.8MB
-
memory/1732-136-0x0000000008E20000-0x000000000934C000-memory.dmpFilesize
5.2MB