Analysis
-
max time kernel
39s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-07-2022 00:46
Behavioral task
behavioral1
Sample
32e524a990dd96c6192f066c787a2a9f.exe
Resource
win7-20220414-en
General
-
Target
32e524a990dd96c6192f066c787a2a9f.exe
-
Size
107KB
-
MD5
32e524a990dd96c6192f066c787a2a9f
-
SHA1
f031c9847294f298bffacec1b05c729e4d9c418c
-
SHA256
caec9d3eb952c9365cad842a74cdb955145d52bb9b1834afbf0bd7d83fe4da66
-
SHA512
b210d90c7f9e6addc4dc6455594d01374c16553100cd6c2bacb045c4d3926b5919278b7c0070fc6cd256d5d6bc2b14bed385a199d53caab0cedb88c8f5ddca3c
Malware Config
Extracted
redline
Europe
95.217.209.222:13663
-
auth_value
1dba5e33434f10aac4435480c820d246
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1416-54-0x0000000000370000-0x0000000000390000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
32e524a990dd96c6192f066c787a2a9f.exepid process 1416 32e524a990dd96c6192f066c787a2a9f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
32e524a990dd96c6192f066c787a2a9f.exedescription pid process Token: SeDebugPrivilege 1416 32e524a990dd96c6192f066c787a2a9f.exe