Analysis
-
max time kernel
48s -
max time network
64s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
10-11-2022 09:47
Behavioral task
behavioral1
Sample
svchosts.exe
Resource
win7-20220901-en
General
-
Target
svchosts.exe
-
Size
205KB
-
MD5
b3503746bb7f1d30755c9f4a26ce0a2c
-
SHA1
2490c2a6b3fad0711993c8bb16aab2d21cefac6f
-
SHA256
90706da9b2d8dca13b4823cb9b6c95bde3df92ac336826722b33cfe495d2e300
-
SHA512
142841d0e5a51212af7f7ae6cd083eb5daa2e5542f3c8294524ff8c722a4dcbe8462bf647f928ba3b3edb4d36638a4be5a83ad5762e9b8e66429f6006901b72c
-
SSDEEP
1536:pqsEFqJklbG6jejoigIg43Ywzi0Zb78ivombfexv0ujXyyed2AtmulgS6pG3OkzB:HYScYg+zi0ZbYe1g0ujyzdspkzLQW
Malware Config
Extracted
redline
1877
overthinker1877.duckdns.org:60732
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1288-54-0x0000000000890000-0x00000000008C8000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
svchosts.exepid process 1288 svchosts.exe 1288 svchosts.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchosts.exedescription pid process Token: SeDebugPrivilege 1288 svchosts.exe