Analysis
-
max time kernel
47s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
10-06-2022 16:33
Behavioral task
behavioral1
Sample
308FCF160E8A3E3956EAE1A8A2285D06813DD87910460.exe
Resource
win7-20220414-en
General
-
Target
308FCF160E8A3E3956EAE1A8A2285D06813DD87910460.exe
-
Size
106KB
-
MD5
a46648b2dd6e96562b144ae36956f123
-
SHA1
caa5d0f31b1dcc21e2267a2b240d35e1c7ce769a
-
SHA256
308fcf160e8a3e3956eae1a8a2285d06813dd879104601e884b5af4c960ca82a
-
SHA512
311fd32bd11758d72be1324666bc8e504682e48095698cef6d65ced0422a53f636fbf4cb66348f37e945fb043cf590a57b368a64d9516e47bb04b1a53e56ec52
Malware Config
Extracted
redline
10
179.43.154.136:6001
-
auth_value
d695bfb18b65b93b53b6583424227f3c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1512-54-0x0000000000B20000-0x0000000000B40000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
308FCF160E8A3E3956EAE1A8A2285D06813DD87910460.exepid process 1512 308FCF160E8A3E3956EAE1A8A2285D06813DD87910460.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
308FCF160E8A3E3956EAE1A8A2285D06813DD87910460.exedescription pid process Token: SeDebugPrivilege 1512 308FCF160E8A3E3956EAE1A8A2285D06813DD87910460.exe