Analysis
-
max time kernel
38s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
16-10-2022 22:20
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
199KB
-
MD5
556c971093783db0c2396d3082934ba7
-
SHA1
885b7b171791c47f33899e0e123601e9114d733b
-
SHA256
097c4715fd2a5a874612386480afc138281e3a962539810dafa523bb3acd1c7a
-
SHA512
8ec9c03262a54c490fdaa0c85467171cdf0537064310d8df808411cb2bb0bc3f235ff27106cf205288d1d4aedb26a4ced81dd595b1decf73915a56580b69e613
-
SSDEEP
3072:1KN+aQBqq8Q0M4caXUgxXtMZ49l5KfKkrzpiuy:1KN+z8O+Oz
Malware Config
Extracted
redline
Meta
176.113.115.10:44271
-
auth_value
13aed6d55d037be505283eec4da98a73
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
tmp.exepid process 1712 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmp.exedescription pid process Token: SeDebugPrivilege 1712 tmp.exe