Analysis
-
max time kernel
40s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
29-06-2022 23:13
Behavioral task
behavioral1
Sample
2464-280-0x00000000028C0000-0x00000000028E2000-memory.exe
Resource
win7-20220414-en
General
-
Target
2464-280-0x00000000028C0000-0x00000000028E2000-memory.exe
-
Size
136KB
-
MD5
43b2ca50510a1feb40201526697d5199
-
SHA1
b5523504af5deca9a8d41590f9ca3fcdf2e9f7f9
-
SHA256
16f772d45322cb7246e7457e743da35ec57cba8800f830e4ec1144971c80be05
-
SHA512
608af8967f112e65a61544a8fa17c11dbb85f7d01b4464666264c6b044fa7c54f96f01254ac6e454c67db2159f1a826fa5b9a98a4e8af1f1e1a1532c2f991431
Malware Config
Extracted
redline
Mount2
ushatamaiet.xyz:80
adinoreiver.xyz:80
qulyneanica.com:80
-
auth_value
041a7c36d4c8d195af1a8b950182ee96
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1640-54-0x0000000000EE0000-0x0000000000F02000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2464-280-0x00000000028C0000-0x00000000028E2000-memory.exepid process 1640 2464-280-0x00000000028C0000-0x00000000028E2000-memory.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2464-280-0x00000000028C0000-0x00000000028E2000-memory.exedescription pid process Token: SeDebugPrivilege 1640 2464-280-0x00000000028C0000-0x00000000028E2000-memory.exe