Analysis
-
max time kernel
45s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
10-11-2022 05:46
Behavioral task
behavioral1
Sample
8416f8c43b9315bb8e32bad187d9c45f.exe
Resource
win7-20220901-en
General
-
Target
8416f8c43b9315bb8e32bad187d9c45f.exe
-
Size
360KB
-
MD5
8416f8c43b9315bb8e32bad187d9c45f
-
SHA1
1cd1427dfe448408b0343f7c964623b21ec6405b
-
SHA256
8701f05be1c34c7b4272cee9f268a8fd0373579ed43d3d43265609358f72b0ee
-
SHA512
d7ee4f1a4c46469c107c20bd9a947fd5957adb97e188df5fa5455377c3ffa8539ceab123a069dd78e71dcaf6896739b682a3e1500faedfacbfa1b7c9d0eca248
-
SSDEEP
6144:7DLUVDNfym3ZvbfVjZHBQfsN+PMjJrQoT8j78kAe8Xr8Ei7RXYWIZupaUfqlcUKg:7UNddbdjZHufDQ8x78kAe8Xr8Ei7RXYR
Malware Config
Extracted
redline
REDLINE
80.66.87.60:80
-
auth_value
0031c8881e219bb78b7e6bf19f4b67c1
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1324-54-0x0000000000150000-0x00000000001B0000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
8416f8c43b9315bb8e32bad187d9c45f.exepid process 1324 8416f8c43b9315bb8e32bad187d9c45f.exe 1324 8416f8c43b9315bb8e32bad187d9c45f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8416f8c43b9315bb8e32bad187d9c45f.exedescription pid process Token: SeDebugPrivilege 1324 8416f8c43b9315bb8e32bad187d9c45f.exe