Analysis
-
max time kernel
49s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-09-2022 17:47
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
54KB
-
MD5
1e2f6f150a9ed8419a02748c81220cbd
-
SHA1
e9dedbb568fe50dacfd909d560ca5c61ef60e93b
-
SHA256
cdb773860277224fd715015f6a4a1282b8202de3b654cdbc89f3aa5d8d7fe245
-
SHA512
b3d946f7845c4d29edc074cdf66774ff36fe0008661c2dc50c4e61eac7d295ae42884e693dc33fb40e3723ccb487e26ffc278c6085adeb23a59d4b505f4522cc
-
SSDEEP
1536:uZmQZtL4cCWP4AjMKHKvV34nw9YkpzySJ3gOTMnJvajD5:SZpjMKqvVInw9YkpzySJFZ
Malware Config
Extracted
redline
20.09
176.124.201.205:8800
-
auth_value
edabd6419a068519adaa84bf7ad79d04
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1156-65-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1156-66-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1156-67-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1156-68-0x000000000042212E-mapping.dmp family_redline behavioral1/memory/1156-70-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1156-72-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1784-54-0x0000000001280000-0x0000000001294000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 1784 set thread context of 1156 1784 file.exe file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exefile.exefile.exepid process 1320 powershell.exe 1784 file.exe 1784 file.exe 1156 file.exe 1156 file.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
file.exepowershell.exefile.exedescription pid process Token: SeDebugPrivilege 1784 file.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeDebugPrivilege 1156 file.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
file.exedescription pid process target process PID 1784 wrote to memory of 1320 1784 file.exe powershell.exe PID 1784 wrote to memory of 1320 1784 file.exe powershell.exe PID 1784 wrote to memory of 1320 1784 file.exe powershell.exe PID 1784 wrote to memory of 1320 1784 file.exe powershell.exe PID 1784 wrote to memory of 1156 1784 file.exe file.exe PID 1784 wrote to memory of 1156 1784 file.exe file.exe PID 1784 wrote to memory of 1156 1784 file.exe file.exe PID 1784 wrote to memory of 1156 1784 file.exe file.exe PID 1784 wrote to memory of 1156 1784 file.exe file.exe PID 1784 wrote to memory of 1156 1784 file.exe file.exe PID 1784 wrote to memory of 1156 1784 file.exe file.exe PID 1784 wrote to memory of 1156 1784 file.exe file.exe PID 1784 wrote to memory of 1156 1784 file.exe file.exe PID 1784 wrote to memory of 1156 1784 file.exe file.exe PID 1784 wrote to memory of 1156 1784 file.exe file.exe PID 1784 wrote to memory of 1156 1784 file.exe file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1156-63-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1156-72-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1156-70-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1156-68-0x000000000042212E-mapping.dmp
-
memory/1156-67-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1156-66-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1156-65-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1156-62-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1320-61-0x000000006FBC0000-0x000000007016B000-memory.dmpFilesize
5.7MB
-
memory/1320-60-0x000000006FBC0000-0x000000007016B000-memory.dmpFilesize
5.7MB
-
memory/1320-58-0x0000000000000000-mapping.dmp
-
memory/1784-54-0x0000000001280000-0x0000000001294000-memory.dmpFilesize
80KB
-
memory/1784-57-0x0000000005700000-0x0000000005792000-memory.dmpFilesize
584KB
-
memory/1784-56-0x0000000000510000-0x00000000005C8000-memory.dmpFilesize
736KB
-
memory/1784-55-0x00000000762F1000-0x00000000762F3000-memory.dmpFilesize
8KB