Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09-09-2022 07:46
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
137KB
-
MD5
1cd36877d5e6e6fafa38f1c9f21cedf3
-
SHA1
e02d4dfad2a1a82a5bc5f6125bb421a02c42d363
-
SHA256
d273fc08938b54321f5d01dfa9200573efdf9d6fb9a2daf038aedd9d1f85ad65
-
SHA512
98756c55b5a2d2497c854edd0a8b47cd36a22467280989ab3cc520b68307d08f91346f594453c6bbba73d296faca46bc7d996caf3fb0e261587efbb6c207569a
-
SSDEEP
3072:UYO/ZMTF5tgoYzdxIwqaasDVVCDFWLRPChaSSc6l:UYMZMB5tgomWwqaasyQpChc
Malware Config
Extracted
redline
nam6.2
103.89.90.61:34589
-
auth_value
4040fe7c77de89cf1a6f4cebd515c54c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1528-54-0x0000000000C60000-0x0000000000C88000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
file.exepid process 1528 file.exe 1528 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
file.exedescription pid process Token: SeDebugPrivilege 1528 file.exe