Analysis
-
max time kernel
106s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-10-2022 22:07
Static task
static1
Behavioral task
behavioral1
Sample
password 2022/1-1.scr
Resource
win7-20220812-en
General
-
Target
password 2022/1-1.scr
-
Size
715.0MB
-
MD5
b0a38f0a315ff80630c62eb81bc5daf0
-
SHA1
0bb1b18b3a144b29b46ca2932ba6a562f9d4b4d8
-
SHA256
c0f743fd14be816dd7c598ea9d61cd84d55d7994c1756e2f752a229106926a0a
-
SHA512
86b30248d9b0d7c53c6888e0dec388e0b38d12fa1a1e93606d7ae90a4f1d2e800da616be76b00559a1d90f21fbe94cc68be3b09f2919201d98c5d4fa17a4d078
-
SSDEEP
24576:+Vo7uE0Oab8xook2OoYQYzzK52QbgWC3yNaarmNZS8hDpAj+5ugpUPiSrcw84obn:wMOYSwiAGVvtTeRdZEHQJfQuB38V+5
Malware Config
Extracted
redline
4
185.112.83.147:17431
-
auth_value
36e644f98af4e704e0ff8db3a587fdb4
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1-1.scrpid process 836 1-1.scr 836 1-1.scr -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1-1.scrdescription pid process Token: SeDebugPrivilege 836 1-1.scr
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/836-54-0x0000000076831000-0x0000000076833000-memory.dmpFilesize
8KB
-
memory/836-55-0x00000000002C0000-0x00000000002FD000-memory.dmpFilesize
244KB
-
memory/836-56-0x00000000002C0000-0x00000000002FD000-memory.dmpFilesize
244KB
-
memory/836-57-0x000000000A870000-0x000000000A8A6000-memory.dmpFilesize
216KB