Analysis
-
max time kernel
146s -
max time network
163s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13-02-2022 11:09
General
-
Target
2e1ce5f06ef45fa6611ad42f54e29830c396c697adbf3013e70d4bde36e31051.exe
-
Size
440KB
-
MD5
aa3ff9c17a3bcba16cb8a5fb19acfe29
-
SHA1
364703e2a5e38fe4430e4896de1f8f4c62a2834f
-
SHA256
2e1ce5f06ef45fa6611ad42f54e29830c396c697adbf3013e70d4bde36e31051
-
SHA512
38a1846b9f14975b2d7172b8b8d64e5fb055f75d71323154a6dcc5926bc249009dafd4aa58015d0c04b73f391974312f7f48d2afd01a58318956d01bf6eccac0
Malware Config
Extracted
redline
noname
185.215.113.29:20819
-
auth_value
ee92d883673b7156fdd66cac5fc8d2d0
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e1ce5f06ef45fa6611ad42f54e29830c396c697adbf3013e70d4bde36e31051.exe"C:\Users\Admin\AppData\Local\Temp\2e1ce5f06ef45fa6611ad42f54e29830c396c697adbf3013e70d4bde36e31051.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3160-115-0x00000000009DA000-0x0000000000A06000-memory.dmpFilesize
176KB
-
memory/3160-116-0x00000000009DA000-0x0000000000A06000-memory.dmpFilesize
176KB
-
memory/3160-117-0x00000000025A0000-0x00000000025D9000-memory.dmpFilesize
228KB
-
memory/3160-118-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3160-119-0x0000000072EEE000-0x0000000072EEF000-memory.dmpFilesize
4KB
-
memory/3160-120-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/3160-121-0x0000000002820000-0x0000000002854000-memory.dmpFilesize
208KB
-
memory/3160-122-0x0000000005102000-0x0000000005103000-memory.dmpFilesize
4KB
-
memory/3160-123-0x0000000005103000-0x0000000005104000-memory.dmpFilesize
4KB
-
memory/3160-124-0x0000000005110000-0x000000000560E000-memory.dmpFilesize
5.0MB
-
memory/3160-125-0x0000000002AA0000-0x0000000002AD2000-memory.dmpFilesize
200KB
-
memory/3160-126-0x0000000005C20000-0x0000000006226000-memory.dmpFilesize
6.0MB
-
memory/3160-127-0x0000000004FE0000-0x0000000004FF2000-memory.dmpFilesize
72KB
-
memory/3160-128-0x0000000005610000-0x000000000571A000-memory.dmpFilesize
1.0MB
-
memory/3160-129-0x0000000005104000-0x0000000005106000-memory.dmpFilesize
8KB
-
memory/3160-130-0x0000000005920000-0x000000000595E000-memory.dmpFilesize
248KB
-
memory/3160-131-0x0000000005960000-0x00000000059AB000-memory.dmpFilesize
300KB
-
memory/3160-132-0x0000000000B30000-0x0000000000BA6000-memory.dmpFilesize
472KB
-
memory/3160-133-0x0000000005A30000-0x0000000005AC2000-memory.dmpFilesize
584KB
-
memory/3160-134-0x0000000006330000-0x000000000634E000-memory.dmpFilesize
120KB
-
memory/3160-135-0x00000000063A0000-0x0000000006406000-memory.dmpFilesize
408KB
-
memory/3160-136-0x0000000006840000-0x0000000006A02000-memory.dmpFilesize
1.8MB
-
memory/3160-137-0x0000000006A10000-0x0000000006F3C000-memory.dmpFilesize
5.2MB