Analysis
-
max time kernel
36s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
resource tags
arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system -
submitted
17-07-2022 18:21
Behavioral task
behavioral1
Sample
Okjzyqowxr.exe
Resource
win7-20220414-en
7 signatures
150 seconds
General
-
Target
Okjzyqowxr.exe
-
Size
95KB
-
MD5
b27c93e7880924b0a13504c214204d94
-
SHA1
aeca49edf0086ce10baccffb52caccf8fc883742
-
SHA256
822d4be0f23ff69985264de4d28efa8754684ffb7c5929cb73cb4f9f7858504f
-
SHA512
c6974d9cffa76d64a6f4612f0163878957a6ac25ee96010d0d663bb4df4e6d4691c2cf5758106273b2fc4aaf0ed32ba857d1fef784cf676835acab37d7efd9db
Malware Config
Extracted
Family
redline
Botnet
cheats
C2
5.249.162.225:16731
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1500-54-0x0000000000DA0000-0x0000000000DBE000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Okjzyqowxr.exepid process 1500 Okjzyqowxr.exe 1500 Okjzyqowxr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Okjzyqowxr.exedescription pid process Token: SeDebugPrivilege 1500 Okjzyqowxr.exe