Analysis
-
max time kernel
51s -
max time network
56s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 22:17
Behavioral task
behavioral1
Sample
4fe6f1177349a62e07c8622e08c9fd6981cb84b397c4491b80a68985daa04d9b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4fe6f1177349a62e07c8622e08c9fd6981cb84b397c4491b80a68985daa04d9b.exe
Resource
win10-20220901-en
General
-
Target
4fe6f1177349a62e07c8622e08c9fd6981cb84b397c4491b80a68985daa04d9b.exe
-
Size
90KB
-
MD5
1f578271456459d3de2ab6a79af12533
-
SHA1
f13e880e4c2ae52b36e173556cbb88199e89cd23
-
SHA256
4fe6f1177349a62e07c8622e08c9fd6981cb84b397c4491b80a68985daa04d9b
-
SHA512
1261aac563862d627c5a182ca36ff05f67bc0f83e935104b06523332fc8074e7628e19824b87bc135e43dd77ae4af02020d56e0a237ab8e0e44a139da7d21d2d
-
SSDEEP
1536:KPqUPY5RyWjddJg3JqQbDFX+jtDNjDNUNDQDNJiugjyCaDN1JvvDNPXlJ7mVcvPb:N3ksjigjHiVWWc59G7mnboiIK
Malware Config
Extracted
redline
80.66.87.22:80
-
auth_value
5b663effac3b92fe687f0181631eeff2
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4fe6f1177349a62e07c8622e08c9fd6981cb84b397c4491b80a68985daa04d9b.exepid process 856 4fe6f1177349a62e07c8622e08c9fd6981cb84b397c4491b80a68985daa04d9b.exe 856 4fe6f1177349a62e07c8622e08c9fd6981cb84b397c4491b80a68985daa04d9b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4fe6f1177349a62e07c8622e08c9fd6981cb84b397c4491b80a68985daa04d9b.exedescription pid process Token: SeDebugPrivilege 856 4fe6f1177349a62e07c8622e08c9fd6981cb84b397c4491b80a68985daa04d9b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fe6f1177349a62e07c8622e08c9fd6981cb84b397c4491b80a68985daa04d9b.exe"C:\Users\Admin\AppData\Local\Temp\4fe6f1177349a62e07c8622e08c9fd6981cb84b397c4491b80a68985daa04d9b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken