Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
15-08-2022 05:58
Behavioral task
behavioral1
Sample
b2ba97534d4f06a680b89e7a72f9bd2d.exe
Resource
win7-20220812-en
General
-
Target
b2ba97534d4f06a680b89e7a72f9bd2d.exe
-
Size
107KB
-
MD5
b2ba97534d4f06a680b89e7a72f9bd2d
-
SHA1
94621d3abcb442cabbdbb98bc8c348d87b63e55b
-
SHA256
5bea873f424343d158a59032eba5e9d54a7e21634169eb6a95c9d6a11cd2b9f4
-
SHA512
f1f5a01530f2bdd55ecfdf59005e4764ccdc57a6301431342ceca63e5428cbc717ec976b236ab71302b8b9ec80bca71714f41c2a4d8b0eb1c1fc227e235a1099
Malware Config
Extracted
redline
X
45.76.223.107:25950
-
auth_value
249e1ece2f90b39d9c5563282076f21f
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1980-54-0x00000000001D0000-0x00000000001F0000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b2ba97534d4f06a680b89e7a72f9bd2d.exedescription pid process Token: SeDebugPrivilege 1980 b2ba97534d4f06a680b89e7a72f9bd2d.exe