Analysis
-
max time kernel
92s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 04:03
General
-
Target
2ffe2df993b67638486e696c776f7dc2dd3bf1f83a948f7a9f5a10aa990ff8e4.exe
-
Size
361KB
-
MD5
9e2b897a7c63d54fe8495df1efb44190
-
SHA1
a0cbe58ef5a9c5ef0918a387283a9fc913a206c8
-
SHA256
2ffe2df993b67638486e696c776f7dc2dd3bf1f83a948f7a9f5a10aa990ff8e4
-
SHA512
60ab6188c2f66ee5863220bfd78fdf9ddae326e9c55154778efa85aec5a4a00438dad85d9529f72111add08e9c28d4c6dd0cdc8e3b216a64d363dd47b62feb9f
-
SSDEEP
6144:eEaXBUcN2BRrn1fH0N6GkBut5adsSEK69yDPhSjYlakxjTLVqoARRSTZAPdg+:/aRDNoVJKRtUdsSEK69yDPhSjYlakxjv
Malware Config
Extracted
redline
0002
13.72.81.58:13413
-
auth_value
866ce0ed8cfe2be77fb43a4912677698
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4512-132-0x00000000005F0000-0x0000000000650000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2ffe2df993b67638486e696c776f7dc2dd3bf1f83a948f7a9f5a10aa990ff8e4.exepid process 4512 2ffe2df993b67638486e696c776f7dc2dd3bf1f83a948f7a9f5a10aa990ff8e4.exe 4512 2ffe2df993b67638486e696c776f7dc2dd3bf1f83a948f7a9f5a10aa990ff8e4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2ffe2df993b67638486e696c776f7dc2dd3bf1f83a948f7a9f5a10aa990ff8e4.exedescription pid process Token: SeDebugPrivilege 4512 2ffe2df993b67638486e696c776f7dc2dd3bf1f83a948f7a9f5a10aa990ff8e4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ffe2df993b67638486e696c776f7dc2dd3bf1f83a948f7a9f5a10aa990ff8e4.exe"C:\Users\Admin\AppData\Local\Temp\2ffe2df993b67638486e696c776f7dc2dd3bf1f83a948f7a9f5a10aa990ff8e4.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4512-132-0x00000000005F0000-0x0000000000650000-memory.dmpFilesize
384KB
-
memory/4512-133-0x000000000AC90000-0x000000000B2A8000-memory.dmpFilesize
6.1MB
-
memory/4512-134-0x000000000A800000-0x000000000A90A000-memory.dmpFilesize
1.0MB
-
memory/4512-135-0x000000000A730000-0x000000000A742000-memory.dmpFilesize
72KB
-
memory/4512-136-0x000000000A790000-0x000000000A7CC000-memory.dmpFilesize
240KB
-
memory/4512-137-0x000000000B860000-0x000000000BE04000-memory.dmpFilesize
5.6MB
-
memory/4512-138-0x000000000ABF0000-0x000000000AC82000-memory.dmpFilesize
584KB
-
memory/4512-139-0x000000000B2B0000-0x000000000B316000-memory.dmpFilesize
408KB
-
memory/4512-140-0x000000000D2A0000-0x000000000D462000-memory.dmpFilesize
1.8MB
-
memory/4512-141-0x000000000D9A0000-0x000000000DECC000-memory.dmpFilesize
5.2MB
-
memory/4512-142-0x0000000007260000-0x00000000072D6000-memory.dmpFilesize
472KB
-
memory/4512-143-0x00000000072E0000-0x0000000007330000-memory.dmpFilesize
320KB