Analysis
-
max time kernel
51s -
max time network
139s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
21-05-2022 15:11
Static task
static1
Behavioral task
behavioral1
Sample
88273d6853a74113616beb04d419eaae786646e358aa158d8f204890f385c779.exe
Resource
win10-20220414-en
General
-
Target
88273d6853a74113616beb04d419eaae786646e358aa158d8f204890f385c779.exe
-
Size
416KB
-
MD5
3f9fa9eda535e8bbba665fb4466fd64d
-
SHA1
50737150378d24054642505217458cd33de9e36e
-
SHA256
88273d6853a74113616beb04d419eaae786646e358aa158d8f204890f385c779
-
SHA512
413d9a05088c3bcf4bb1dcea6e4f2e09c9f99c920dbba883ed0e8715694a8baaa1034a2ab7a77c50c679e1565fb2ea85931f85c5fec0eb6c64474c971a588772
Malware Config
Extracted
redline
RuzkiUNIKALNO
193.233.48.58:38989
-
auth_value
c504b04cfbdd4bf85ce6195bcb37fba6
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4016-121-0x0000000002380000-0x00000000023B4000-memory.dmp family_redline behavioral1/memory/4016-123-0x0000000002810000-0x0000000002844000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
88273d6853a74113616beb04d419eaae786646e358aa158d8f204890f385c779.exedescription pid process Token: SeDebugPrivilege 4016 88273d6853a74113616beb04d419eaae786646e358aa158d8f204890f385c779.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4016-118-0x00000000004B0000-0x00000000005FA000-memory.dmpFilesize
1.3MB
-
memory/4016-119-0x00000000020D0000-0x000000000210A000-memory.dmpFilesize
232KB
-
memory/4016-120-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/4016-121-0x0000000002380000-0x00000000023B4000-memory.dmpFilesize
208KB
-
memory/4016-122-0x0000000004D30000-0x000000000522E000-memory.dmpFilesize
5.0MB
-
memory/4016-123-0x0000000002810000-0x0000000002844000-memory.dmpFilesize
208KB
-
memory/4016-124-0x0000000005230000-0x0000000005836000-memory.dmpFilesize
6.0MB
-
memory/4016-125-0x0000000004C30000-0x0000000004C42000-memory.dmpFilesize
72KB
-
memory/4016-126-0x0000000005840000-0x000000000594A000-memory.dmpFilesize
1.0MB
-
memory/4016-127-0x0000000004C80000-0x0000000004CBE000-memory.dmpFilesize
248KB
-
memory/4016-128-0x0000000005950000-0x000000000599B000-memory.dmpFilesize
300KB
-
memory/4016-129-0x0000000005BB0000-0x0000000005C26000-memory.dmpFilesize
472KB
-
memory/4016-130-0x0000000005CA0000-0x0000000005D32000-memory.dmpFilesize
584KB
-
memory/4016-131-0x0000000005C70000-0x0000000005C8E000-memory.dmpFilesize
120KB
-
memory/4016-132-0x0000000005E90000-0x0000000005EF6000-memory.dmpFilesize
408KB
-
memory/4016-133-0x00000000065C0000-0x0000000006782000-memory.dmpFilesize
1.8MB
-
memory/4016-134-0x00000000067B0000-0x0000000006CDC000-memory.dmpFilesize
5.2MB