Analysis
-
max time kernel
49s -
max time network
74s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-05-2022 22:21
Static task
static1
Behavioral task
behavioral1
Sample
2bcc9ed563669f8007cec75c3fe6cd79fa0425cd781da80e0241557c2806de22.exe
Resource
win7-20220414-en
General
-
Target
2bcc9ed563669f8007cec75c3fe6cd79fa0425cd781da80e0241557c2806de22.exe
-
Size
399KB
-
MD5
b39816bc106dc09aba8a1341d83bfe29
-
SHA1
8ec230bf2515b9a79c0e8c06053cdb75d40e09ee
-
SHA256
2bcc9ed563669f8007cec75c3fe6cd79fa0425cd781da80e0241557c2806de22
-
SHA512
8d540901ff1fb7db8cb9a2b6eb172df7a4e24270b508bd53e83c7d17c67458142848f98c555288d2203fd84b1ce30324bde1bb06bf3cfdce1c4c5b660b594eba
Malware Config
Extracted
redline
2
51.89.204.186:36124
-
auth_value
aa046d0ca32fcb8538726e938e3bd00c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/240-54-0x00000000020F0000-0x0000000002124000-memory.dmp family_redline behavioral1/memory/240-58-0x0000000002120000-0x0000000002154000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2bcc9ed563669f8007cec75c3fe6cd79fa0425cd781da80e0241557c2806de22.exepid process 240 2bcc9ed563669f8007cec75c3fe6cd79fa0425cd781da80e0241557c2806de22.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2bcc9ed563669f8007cec75c3fe6cd79fa0425cd781da80e0241557c2806de22.exedescription pid process Token: SeDebugPrivilege 240 2bcc9ed563669f8007cec75c3fe6cd79fa0425cd781da80e0241557c2806de22.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bcc9ed563669f8007cec75c3fe6cd79fa0425cd781da80e0241557c2806de22.exe"C:\Users\Admin\AppData\Local\Temp\2bcc9ed563669f8007cec75c3fe6cd79fa0425cd781da80e0241557c2806de22.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/240-54-0x00000000020F0000-0x0000000002124000-memory.dmpFilesize
208KB
-
memory/240-56-0x0000000000250000-0x000000000028A000-memory.dmpFilesize
232KB
-
memory/240-55-0x000000000066E000-0x000000000069A000-memory.dmpFilesize
176KB
-
memory/240-57-0x0000000000400000-0x00000000004F8000-memory.dmpFilesize
992KB
-
memory/240-58-0x0000000002120000-0x0000000002154000-memory.dmpFilesize
208KB
-
memory/240-59-0x00000000753C1000-0x00000000753C3000-memory.dmpFilesize
8KB