Analysis
-
max time kernel
4294179s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
15-03-2022 14:49
Behavioral task
behavioral1
Sample
0x0007000000021e83-163.exe
Resource
win7-20220311-en
General
-
Target
0x0007000000021e83-163.exe
-
Size
107KB
-
MD5
00e43a3bfd4f821d13329209ab4875e7
-
SHA1
3a6648e1f23684d2ffe2e5af683761c184537a1e
-
SHA256
354a014aac7be2159294631afdc5a0683edd91ec8b7c9b34d3548b2227a047f2
-
SHA512
2c018312976ce2d0b5e5cf12b5e5daa3773507042fceab0ab4a88f38db53cc3a99063cc6455412cd93b308a2fcdd6b777f0c56c8b1b1686bab942464867a4c62
Malware Config
Extracted
redline
da da
86.107.197.196:63065
-
auth_value
9b1654b30797c210c85bd0890936a5b9
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/296-54-0x0000000001080000-0x00000000010A0000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0x0007000000021e83-163.exepid process 296 0x0007000000021e83-163.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0x0007000000021e83-163.exedescription pid process Token: SeDebugPrivilege 296 0x0007000000021e83-163.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/296-54-0x0000000001080000-0x00000000010A0000-memory.dmpFilesize
128KB
-
memory/296-55-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB
-
memory/296-56-0x0000000074940000-0x000000007502E000-memory.dmpFilesize
6.9MB
-
memory/296-57-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB