Analysis
-
max time kernel
91s -
max time network
183s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
31-07-2021 18:03
Static task
static1
Behavioral task
behavioral1
Sample
df4b40ac854ceef5992b98fa1f733532.exe
Resource
win7v20210408
General
-
Target
df4b40ac854ceef5992b98fa1f733532.exe
-
Size
264KB
-
MD5
df4b40ac854ceef5992b98fa1f733532
-
SHA1
783a0508e0596e711929da174926b32aaee16ad2
-
SHA256
0344c20e70f91bc71b10fb60f5043bc07f238d1439b277fec325b3cc10c19668
-
SHA512
f765832164f8453548f33abf7c58d11b7651955a779824099800aca41b0a7360258eb184b6a118b5b838f909b83e652d6efe53cc38cc53f0ea21c7ccd28bf7da
Malware Config
Extracted
redline
3
213.166.68.170:16810
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/320-62-0x0000000000260000-0x0000000000279000-memory.dmp family_redline -
Downloads MZ/PE file
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
df4b40ac854ceef5992b98fa1f733532.exepid process 320 df4b40ac854ceef5992b98fa1f733532.exe 320 df4b40ac854ceef5992b98fa1f733532.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
df4b40ac854ceef5992b98fa1f733532.exedescription pid process Token: SeDebugPrivilege 320 df4b40ac854ceef5992b98fa1f733532.exe