Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
01-02-2024 02:50
General
-
Target
a177d02e062d3068da14ad638fe58ce76d614fa15c1890f668747c61bd132aff.exe
-
Size
313KB
-
MD5
9aa8737202bac7dcc71ef4c77939f82b
-
SHA1
25b29b7274fb3ef7d16052f8400d24540621aff9
-
SHA256
a177d02e062d3068da14ad638fe58ce76d614fa15c1890f668747c61bd132aff
-
SHA512
aa55987a32b3e259376594df68a2008007353953a2bf390b44b908e5fdaee181d3b216aec46f8679aa5f5e4164a0a412511621c6249d3cab7e1eba86d8494a7a
-
SSDEEP
3072:UA0KubVwL+uacYOFq70W09SIg8DJn5MxfCpWLMRqfjDv/YheqiOL2bBO2:8Qpaw40r8IDYx64MRqfjD4jL
Malware Config
Extracted
redline
@RLREBORN Cloud TG: @FATHEROFCARDERS)
141.95.211.148:46011
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a177d02e062d3068da14ad638fe58ce76d614fa15c1890f668747c61bd132aff.exe"C:\Users\Admin\AppData\Local\Temp\a177d02e062d3068da14ad638fe58ce76d614fa15c1890f668747c61bd132aff.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3556-1-0x0000000075000000-0x00000000757B0000-memory.dmpFilesize
7.7MB
-
memory/3556-0-0x00000000004E0000-0x0000000000534000-memory.dmpFilesize
336KB
-
memory/3556-2-0x00000000055B0000-0x0000000005B54000-memory.dmpFilesize
5.6MB
-
memory/3556-3-0x0000000004F20000-0x0000000004FB2000-memory.dmpFilesize
584KB
-
memory/3556-4-0x0000000005140000-0x0000000005150000-memory.dmpFilesize
64KB
-
memory/3556-5-0x00000000050F0000-0x00000000050FA000-memory.dmpFilesize
40KB
-
memory/3556-6-0x0000000006440000-0x0000000006A58000-memory.dmpFilesize
6.1MB
-
memory/3556-7-0x0000000007DD0000-0x0000000007EDA000-memory.dmpFilesize
1.0MB
-
memory/3556-8-0x0000000007CC0000-0x0000000007CD2000-memory.dmpFilesize
72KB
-
memory/3556-9-0x0000000007D20000-0x0000000007D5C000-memory.dmpFilesize
240KB
-
memory/3556-10-0x0000000007D60000-0x0000000007DAC000-memory.dmpFilesize
304KB
-
memory/3556-11-0x00000000089F0000-0x0000000008A56000-memory.dmpFilesize
408KB
-
memory/3556-12-0x0000000009170000-0x0000000009332000-memory.dmpFilesize
1.8MB
-
memory/3556-13-0x0000000009870000-0x0000000009D9C000-memory.dmpFilesize
5.2MB
-
memory/3556-14-0x0000000009340000-0x0000000009390000-memory.dmpFilesize
320KB
-
memory/3556-15-0x0000000005140000-0x0000000005150000-memory.dmpFilesize
64KB
-
memory/3556-17-0x0000000075000000-0x00000000757B0000-memory.dmpFilesize
7.7MB