Analysis
-
max time kernel
128s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
08-03-2022 16:52
Static task
static1
General
-
Target
5bbe661cfc9bc2bc87e247ed77e8842405a8c668f6185a6bfcc1344ff871f065.exe
-
Size
1.2MB
-
MD5
785d2a137e07c46e7ea165de0f16cb51
-
SHA1
975258bbb7889f0ebabf1ef518cc673a56c6ab05
-
SHA256
5bbe661cfc9bc2bc87e247ed77e8842405a8c668f6185a6bfcc1344ff871f065
-
SHA512
e7745cea21bb4c94db27dfe5e095bf59ea41a3e47294f0e9aa6a841d9525a868ef6d5a09a929ac01c5ebc8908a6fdb4fdeb4653e63ecdf024d0f83f33b69455d
Malware Config
Extracted
redline
1
193.106.191.115:22844
-
auth_value
03a75a697cd88e0f34b1f6c08b8bbba9
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/776-131-0x00000000004B0000-0x00000000006D0000-memory.dmp family_redline behavioral1/memory/776-133-0x00000000004B0000-0x00000000006D0000-memory.dmp family_redline behavioral1/memory/776-137-0x00000000004B0000-0x00000000006D0000-memory.dmp family_redline behavioral1/memory/776-138-0x00000000004B0000-0x00000000006D0000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
5bbe661cfc9bc2bc87e247ed77e8842405a8c668f6185a6bfcc1344ff871f065.exepid process 776 5bbe661cfc9bc2bc87e247ed77e8842405a8c668f6185a6bfcc1344ff871f065.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
5bbe661cfc9bc2bc87e247ed77e8842405a8c668f6185a6bfcc1344ff871f065.exepid process 776 5bbe661cfc9bc2bc87e247ed77e8842405a8c668f6185a6bfcc1344ff871f065.exe 776 5bbe661cfc9bc2bc87e247ed77e8842405a8c668f6185a6bfcc1344ff871f065.exe 776 5bbe661cfc9bc2bc87e247ed77e8842405a8c668f6185a6bfcc1344ff871f065.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5bbe661cfc9bc2bc87e247ed77e8842405a8c668f6185a6bfcc1344ff871f065.exedescription pid process Token: SeDebugPrivilege 776 5bbe661cfc9bc2bc87e247ed77e8842405a8c668f6185a6bfcc1344ff871f065.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bbe661cfc9bc2bc87e247ed77e8842405a8c668f6185a6bfcc1344ff871f065.exe"C:\Users\Admin\AppData\Local\Temp\5bbe661cfc9bc2bc87e247ed77e8842405a8c668f6185a6bfcc1344ff871f065.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/776-130-0x0000000002BE0000-0x0000000002C26000-memory.dmpFilesize
280KB
-
memory/776-131-0x00000000004B0000-0x00000000006D0000-memory.dmpFilesize
2.1MB
-
memory/776-132-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/776-133-0x00000000004B0000-0x00000000006D0000-memory.dmpFilesize
2.1MB
-
memory/776-134-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/776-135-0x0000000075C20000-0x0000000075E35000-memory.dmpFilesize
2.1MB
-
memory/776-136-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/776-137-0x00000000004B0000-0x00000000006D0000-memory.dmpFilesize
2.1MB
-
memory/776-138-0x00000000004B0000-0x00000000006D0000-memory.dmpFilesize
2.1MB
-
memory/776-139-0x00000000732F0000-0x0000000073379000-memory.dmpFilesize
548KB
-
memory/776-140-0x00000000772A0000-0x0000000077853000-memory.dmpFilesize
5.7MB
-
memory/776-141-0x0000000005D20000-0x0000000006338000-memory.dmpFilesize
6.1MB
-
memory/776-142-0x0000000003680000-0x0000000003692000-memory.dmpFilesize
72KB
-
memory/776-143-0x0000000005810000-0x000000000591A000-memory.dmpFilesize
1.0MB
-
memory/776-144-0x0000000005700000-0x0000000005D18000-memory.dmpFilesize
6.1MB
-
memory/776-145-0x0000000005700000-0x000000000573C000-memory.dmpFilesize
240KB
-
memory/776-146-0x000000006EB00000-0x000000006EB4C000-memory.dmpFilesize
304KB
-
memory/776-147-0x0000000001180000-0x00000000011F6000-memory.dmpFilesize
472KB
-
memory/776-148-0x00000000012A0000-0x0000000001332000-memory.dmpFilesize
584KB
-
memory/776-149-0x00000000068F0000-0x0000000006E94000-memory.dmpFilesize
5.6MB
-
memory/776-150-0x0000000001260000-0x000000000127E000-memory.dmpFilesize
120KB
-
memory/776-151-0x00000000065A0000-0x0000000006606000-memory.dmpFilesize
408KB
-
memory/776-152-0x0000000007170000-0x0000000007332000-memory.dmpFilesize
1.8MB
-
memory/776-153-0x0000000007870000-0x0000000007D9C000-memory.dmpFilesize
5.2MB