Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
19-01-2022 12:07
Static task
static1
Behavioral task
behavioral1
Sample
4cebae64e0fb876ce9ac5c0bfc7c0bb8.exe
Resource
win7-en-20211208
General
-
Target
4cebae64e0fb876ce9ac5c0bfc7c0bb8.exe
-
Size
409KB
-
MD5
4cebae64e0fb876ce9ac5c0bfc7c0bb8
-
SHA1
1c02db2ea5cec5ec367754713f3a50610607f59f
-
SHA256
854fafb9118a481083c420e6701ecee2b438700c267a3debfa7d75afb44eab8d
-
SHA512
ae7e8a189a344d8f2e9e706a4056fb604cb6585fd30855a9df36e61016222c6aad6ad4cd624f00e9261c286fef173833306e70e8bd8b7b9ee67101fa88add309
Malware Config
Extracted
redline
Pablicher
185.215.113.10:39759
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/1684-57-0x00000000007D0000-0x0000000000804000-memory.dmp family_redline behavioral1/memory/1684-61-0x0000000002290000-0x00000000022C2000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1684 4cebae64e0fb876ce9ac5c0bfc7c0bb8.exe