Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26/10/2022, 23:44
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
347KB
-
MD5
5c155294b9a343f5bf1e63f64d830703
-
SHA1
d15231628a5776f8866be6b073efc90ac2b44474
-
SHA256
a4b5bc9f7e30c488564c5e46a931b3bfb876e0a5261f7aee68b6751be7dfc8c3
-
SHA512
8f05750b9b53a2b4e30ddff565f1f2405be36294b72abb611612717355d433fe39ad2a9a7b2bbc0823347a7f8c25f6d0ccdbfd793150aecc8977b05977453f4c
-
SSDEEP
6144:ZxE7gsL/d5MaLNZsWyFAQqVqLU5kD593FEzZTZpp5smIAG:ZxE0sbDMEsWy9qVv5iv3FE1JeqG
Malware Config
Extracted
redline
Fote
79.137.199.60:4691
-
auth_value
e063cd2fd03a8d8334b8d7c3a7b0e7ef
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/1096-54-0x0000000004890000-0x00000000048CE000-memory.dmp family_redline behavioral1/memory/1096-55-0x00000000048D0000-0x000000000490C000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1096 file.exe 1096 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1096 file.exe