General
Target

bc9efb9a8d8073d39ccd22ac5260b565b16668fb3e819ed9642f5f9737b3d50e.exe

Filesize

407KB

Completed

21-05-2022 16:05

Task

behavioral1

Score
10/10
MD5

5bb513cf9d1066060ebf49b02612559b

SHA1

a4b374299a26a17f14c2b5c13baca342b73a8ea6

SHA256

bc9efb9a8d8073d39ccd22ac5260b565b16668fb3e819ed9642f5f9737b3d50e

SHA256

4f13a99c6316059f1da8b55c55582aa87fcaed28801af39acdd3ac0f0293bd86806e019805630e3899fd3486434f1eab35bf40902c8fd73a19a0fc58bc01fa7d

Malware Config

Extracted

Family

redline

Botnet

test1

C2

185.215.113.75:80

Attributes
auth_value
7ab4a4e2eae9eb7ae10f64f68df53bb3
Signatures 6

Filter: none

Collection
Credential Access
Discovery
  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Suspicious behavior: EnumeratesProcesses
    bc9efb9a8d8073d39ccd22ac5260b565b16668fb3e819ed9642f5f9737b3d50e.exe

    Reported IOCs

    pidprocess
    3200bc9efb9a8d8073d39ccd22ac5260b565b16668fb3e819ed9642f5f9737b3d50e.exe
  • Suspicious use of AdjustPrivilegeToken
    bc9efb9a8d8073d39ccd22ac5260b565b16668fb3e819ed9642f5f9737b3d50e.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3200bc9efb9a8d8073d39ccd22ac5260b565b16668fb3e819ed9642f5f9737b3d50e.exe
Processes 1
  • C:\Users\Admin\AppData\Local\Temp\bc9efb9a8d8073d39ccd22ac5260b565b16668fb3e819ed9642f5f9737b3d50e.exe
    "C:\Users\Admin\AppData\Local\Temp\bc9efb9a8d8073d39ccd22ac5260b565b16668fb3e819ed9642f5f9737b3d50e.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:3200
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/3200-118-0x00000000023D0000-0x0000000002400000-memory.dmp

                    • memory/3200-119-0x0000000000530000-0x00000000005DE000-memory.dmp

                    • memory/3200-120-0x0000000004C30000-0x000000000512E000-memory.dmp

                    • memory/3200-121-0x0000000000730000-0x0000000000767000-memory.dmp

                    • memory/3200-122-0x0000000000400000-0x00000000004A7000-memory.dmp

                    • memory/3200-123-0x00000000024D0000-0x00000000024FE000-memory.dmp

                    • memory/3200-124-0x0000000005130000-0x0000000005736000-memory.dmp

                    • memory/3200-125-0x0000000005740000-0x0000000005752000-memory.dmp

                    • memory/3200-126-0x0000000005760000-0x000000000586A000-memory.dmp

                    • memory/3200-127-0x0000000005870000-0x00000000058AE000-memory.dmp

                    • memory/3200-128-0x0000000005900000-0x000000000594B000-memory.dmp

                    • memory/3200-129-0x0000000006660000-0x00000000066D6000-memory.dmp

                    • memory/3200-130-0x00000000066F0000-0x0000000006782000-memory.dmp

                    • memory/3200-131-0x0000000006800000-0x000000000681E000-memory.dmp

                    • memory/3200-132-0x0000000006990000-0x00000000069F6000-memory.dmp

                    • memory/3200-133-0x0000000006DF0000-0x0000000006FB2000-memory.dmp

                    • memory/3200-134-0x0000000006FC0000-0x00000000074EC000-memory.dmp