Analysis
-
max time kernel
37s -
max time network
60s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 04:10
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
95KB
-
MD5
68afed1fdc812019d4f646f919025657
-
SHA1
d323a21f90c5d94ede89dbf4af56565c4673baa7
-
SHA256
5196aacf00f1f252962a14acf7e7f50680f52deaaa1e1d4d7850306e8211495a
-
SHA512
f605524ee87c66daf6e3fc588b66c9a66035753343cbcedf91c7b8fce6b0c58eafa36502fb0a237ee17c5ac7c52b80e808f60756935b81799d22edf65cbbe46b
-
SSDEEP
1536:9HqsyEq76ElbG6jejoigIY43Ywzi0Zb78ivombfexv0ujXyyed2O3tmulgS6pM:91r+68YY+zi0ZbYe1g0ujyzdMM
Malware Config
Extracted
redline
cheat
simplmizer.duckdns.org:61614
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/940-54-0x0000000001340000-0x000000000135E000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
tmp.exepid process 940 tmp.exe 940 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmp.exedescription pid process Token: SeDebugPrivilege 940 tmp.exe