Analysis
-
max time kernel
91s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2022 21:30
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
137KB
-
MD5
14e5359992d0a3f4c66f51766a70ad26
-
SHA1
274a8bbf8197f1a803215b95fc3879785924dcb4
-
SHA256
747329e17b67401944bd3f8a11b4cbe8770ad714eda50740ef1629431c713e3b
-
SHA512
1d120ea2cfb5743a46d9c17e1530a2f5de7d0fd61e8a3d0ad933c5b966da83271af92adfa5c8ba038206d686bb661965d6dc2b862d8f10098900dd6e78c36a26
-
SSDEEP
3072:MYO/ZMTFhne4tHu2yu/Sx7ZIVaDF2bRP8hPSSP4:MYMZMBhne4A2//Sx7ZN0p8h
Malware Config
Extracted
redline
seo35
34.92.152.18:27180
-
auth_value
402c199e97a51d0d3197786424b45812
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4424-132-0x0000000000470000-0x0000000000498000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4424 tmp.exe 4424 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4424 tmp.exe