Analysis

  • max time kernel
    128s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    08-03-2022 16:52

General

  • Target

    5bbe661cfc9bc2bc87e247ed77e8842405a8c668f6185a6bfcc1344ff871f065.exe

  • Size

    1.2MB

  • MD5

    785d2a137e07c46e7ea165de0f16cb51

  • SHA1

    975258bbb7889f0ebabf1ef518cc673a56c6ab05

  • SHA256

    5bbe661cfc9bc2bc87e247ed77e8842405a8c668f6185a6bfcc1344ff871f065

  • SHA512

    e7745cea21bb4c94db27dfe5e095bf59ea41a3e47294f0e9aa6a841d9525a868ef6d5a09a929ac01c5ebc8908a6fdb4fdeb4653e63ecdf024d0f83f33b69455d

Malware Config

Extracted

Family

redline

Botnet

1

C2

193.106.191.115:22844

Attributes
  • auth_value

    03a75a697cd88e0f34b1f6c08b8bbba9

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5bbe661cfc9bc2bc87e247ed77e8842405a8c668f6185a6bfcc1344ff871f065.exe
    "C:\Users\Admin\AppData\Local\Temp\5bbe661cfc9bc2bc87e247ed77e8842405a8c668f6185a6bfcc1344ff871f065.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:776

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

2
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/776-130-0x0000000002BE0000-0x0000000002C26000-memory.dmp
    Filesize

    280KB

  • memory/776-131-0x00000000004B0000-0x00000000006D0000-memory.dmp
    Filesize

    2.1MB

  • memory/776-132-0x0000000000FD0000-0x0000000000FD1000-memory.dmp
    Filesize

    4KB

  • memory/776-133-0x00000000004B0000-0x00000000006D0000-memory.dmp
    Filesize

    2.1MB

  • memory/776-134-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
    Filesize

    4KB

  • memory/776-135-0x0000000075C20000-0x0000000075E35000-memory.dmp
    Filesize

    2.1MB

  • memory/776-136-0x0000000074860000-0x0000000075010000-memory.dmp
    Filesize

    7.7MB

  • memory/776-137-0x00000000004B0000-0x00000000006D0000-memory.dmp
    Filesize

    2.1MB

  • memory/776-138-0x00000000004B0000-0x00000000006D0000-memory.dmp
    Filesize

    2.1MB

  • memory/776-139-0x00000000732F0000-0x0000000073379000-memory.dmp
    Filesize

    548KB

  • memory/776-140-0x00000000772A0000-0x0000000077853000-memory.dmp
    Filesize

    5.7MB

  • memory/776-141-0x0000000005D20000-0x0000000006338000-memory.dmp
    Filesize

    6.1MB

  • memory/776-142-0x0000000003680000-0x0000000003692000-memory.dmp
    Filesize

    72KB

  • memory/776-143-0x0000000005810000-0x000000000591A000-memory.dmp
    Filesize

    1.0MB

  • memory/776-144-0x0000000005700000-0x0000000005D18000-memory.dmp
    Filesize

    6.1MB

  • memory/776-145-0x0000000005700000-0x000000000573C000-memory.dmp
    Filesize

    240KB

  • memory/776-146-0x000000006EB00000-0x000000006EB4C000-memory.dmp
    Filesize

    304KB

  • memory/776-147-0x0000000001180000-0x00000000011F6000-memory.dmp
    Filesize

    472KB

  • memory/776-148-0x00000000012A0000-0x0000000001332000-memory.dmp
    Filesize

    584KB

  • memory/776-149-0x00000000068F0000-0x0000000006E94000-memory.dmp
    Filesize

    5.6MB

  • memory/776-150-0x0000000001260000-0x000000000127E000-memory.dmp
    Filesize

    120KB

  • memory/776-151-0x00000000065A0000-0x0000000006606000-memory.dmp
    Filesize

    408KB

  • memory/776-152-0x0000000007170000-0x0000000007332000-memory.dmp
    Filesize

    1.8MB

  • memory/776-153-0x0000000007870000-0x0000000007D9C000-memory.dmp
    Filesize

    5.2MB