Analysis
-
max time kernel
40s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-05-2022 05:21
Behavioral task
behavioral1
Sample
2008-59-0x0000000001F50000-0x0000000001F70000-memory.exe
Resource
win7-20220414-en
General
-
Target
2008-59-0x0000000001F50000-0x0000000001F70000-memory.exe
-
Size
128KB
-
MD5
823ebc53d1d22612afeba9c9e8729912
-
SHA1
13ae8b17a9d097557daaacba72f395c88febc0d1
-
SHA256
29b9fee0ab007b68732347d1936615eae9b53c7b9e4d2e85e2aaa8fd71b0e1bf
-
SHA512
1efc39b425afa5956c2aad2927213519a701cb8fbae09ca359a6c9ba7cc6fe8ce6a1255dbee8409f4627f6f6a248194335b21f44281207a33b6def401fc5680d
Malware Config
Extracted
redline
1
45.87.63.175:80
-
auth_value
bee3c59bada67864cb0d4dde954652de
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1284-54-0x0000000000130000-0x0000000000150000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2008-59-0x0000000001F50000-0x0000000001F70000-memory.exepid process 1284 2008-59-0x0000000001F50000-0x0000000001F70000-memory.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2008-59-0x0000000001F50000-0x0000000001F70000-memory.exedescription pid process Token: SeDebugPrivilege 1284 2008-59-0x0000000001F50000-0x0000000001F70000-memory.exe