Analysis
-
max time kernel
40s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 16:43
Behavioral task
behavioral1
Sample
a75081d55135abfa799eaf5a30241b5d.exe
Resource
win7-20220414-en
General
-
Target
a75081d55135abfa799eaf5a30241b5d.exe
-
Size
112KB
-
MD5
a75081d55135abfa799eaf5a30241b5d
-
SHA1
9125393b0a6fcc18111927832f2d7a4a6a877b6d
-
SHA256
421094ac9ed1c5f1af82e3dbf6870db9fa8d41ae0f6e63a274493b51c1947358
-
SHA512
c4f91538e76d957f04c4872935c9c0e5b8b7167cf86d77414a50e5d5e6f4ca2aaf47dc5280996455ab5ed69cd5ed45a6f8667adaa83b3b1d19c6c61a6a100f82
Malware Config
Extracted
redline
test1
23.88.112.179:19536
-
auth_value
68c6114f4d4c471ad88677f54e75676f
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1520-54-0x0000000000280000-0x00000000002A0000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a75081d55135abfa799eaf5a30241b5d.exepid process 1520 a75081d55135abfa799eaf5a30241b5d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a75081d55135abfa799eaf5a30241b5d.exedescription pid process Token: SeDebugPrivilege 1520 a75081d55135abfa799eaf5a30241b5d.exe