Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
10-11-2022 06:45
Behavioral task
behavioral1
Sample
8e0a35d381761556ab5c1ea006d876e4.exe
Resource
win7-20220901-en
General
-
Target
8e0a35d381761556ab5c1ea006d876e4.exe
-
Size
361KB
-
MD5
8e0a35d381761556ab5c1ea006d876e4
-
SHA1
cfdeb868b14c3a74479ed1ac1d1c6f842a707dab
-
SHA256
75517e683e81171572dab2526e9583d31c679744b12b251d7d6c6cf14f83f21a
-
SHA512
d963c6d90bf0b126802f1aee7fb895431af574d635d1edddab1e1c27b930926b6bdf33d3da66ba0e6dbd346715ecfa6fbd0d1858ca62be2e535525a3ade3a905
-
SSDEEP
6144:pQ3p/OMWl2N+NanZEMTv+H18iy0YUFGhHve9A0zoaT7Vrm37CX4QdXHgoE9njCoe:ulbNRZEQvHNUFG1vGA0zoaT7Vrm37CXB
Malware Config
Extracted
redline
REDLINE
80.66.87.60:80
-
auth_value
0031c8881e219bb78b7e6bf19f4b67c1
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2032-54-0x0000000000AA0000-0x0000000000B00000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
8e0a35d381761556ab5c1ea006d876e4.exepid process 2032 8e0a35d381761556ab5c1ea006d876e4.exe 2032 8e0a35d381761556ab5c1ea006d876e4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8e0a35d381761556ab5c1ea006d876e4.exedescription pid process Token: SeDebugPrivilege 2032 8e0a35d381761556ab5c1ea006d876e4.exe