redline | 92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22

Analysis

max time kernel
48s
max time network
53s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55b1fd7484074158f9e9e8f657ec5a94.exe
Size

385KB
MD5

55b1fd7484074158f9e9e8f657ec5a94
SHA1

6988125039cbf77b4ff06fa75fa56975004d3333
SHA256

92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22
SHA512

a7b292cc74578308b4c3d129809119a96c6522185e05ddaefb294ae6636894a145383140d23b1d3217f300ee63646d6f185fdb02dcbd9ab0ee5d840aa49b4de9
SSDEEP

12288:3fW6EQ0byZvdEnOuX9opfM99K0S+pOxOTEh25D:3fCbyZvdEnFX9op2KQKdhA

Score

10^/10

redline top1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

top1

chardhesha.xyz:81

jalocliche.xyz:81

Attributes

auth_value
fa2afa98a6579319e36e31ee0552bd57

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2024-56-0x00000000006C0000-0x00000000006EA000-memory.dmp	family_redline
\Windows\Temp\top1.exe	family_redline
C:\Windows\Temp\top1.exe	family_redline
C:\Windows\Temp\top1.exe	family_redline
behavioral1/memory/1500-61-0x0000000000E40000-0x0000000000E68000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

Processes:

top1.exe

pid process

1500 top1.exe
Loads dropped DLL 1 IoCs

Processes:

55b1fd7484074158f9e9e8f657ec5a94.exe

pid process

2024 55b1fd7484074158f9e9e8f657ec5a94.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

top1.exe

pid process

1500 top1.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

55b1fd7484074158f9e9e8f657ec5a94.exetop1.exe

description pid process

Token: SeDebugPrivilege 2024 55b1fd7484074158f9e9e8f657ec5a94.exe
Token: SeDebugPrivilege 1500 top1.exe

pid	process
1500	top1.exe

pid	process
2024	55b1fd7484074158f9e9e8f657ec5a94.exe

pid	process
1500	top1.exe

description	pid	process
Token: SeDebugPrivilege	2024	55b1fd7484074158f9e9e8f657ec5a94.exe
Token: SeDebugPrivilege	1500	top1.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

55b1fd7484074158f9e9e8f657ec5a94.exe

description	pid	process	target process
PID 2024 wrote to memory of 1500	2024	55b1fd7484074158f9e9e8f657ec5a94.exe	top1.exe
PID 2024 wrote to memory of 1500	2024	55b1fd7484074158f9e9e8f657ec5a94.exe	top1.exe
PID 2024 wrote to memory of 1500	2024	55b1fd7484074158f9e9e8f657ec5a94.exe	top1.exe
PID 2024 wrote to memory of 1500	2024	55b1fd7484074158f9e9e8f657ec5a94.exe	top1.exe

C:\Users\Admin\AppData\Local\Temp\55b1fd7484074158f9e9e8f657ec5a94.exe
"C:\Users\Admin\AppData\Local\Temp\55b1fd7484074158f9e9e8f657ec5a94.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\Temp\top1.exe
"C:\Windows\Temp\top1.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\top1.exe
Filesize
137KB

MD5
a135b9085fa8ef921eec14057b03125f

SHA1
4bf5ad5601da96ad4304f3d02b169868c972415d

SHA256
24aebc01eb25512c266cc73a1bf90a40b92e5924ddb94ba6db3be9aa89539ea3

SHA512
c7d4f74bedb81125a5ba42dad7be1dfa8220f1f5da96d61cc3e6b87fa9dd18217b9c6683ab6f16e0197084eead7db50df401d06a7ef4434038512d7d391effab

Download Submit
C:\Windows\Temp\top1.exe
Filesize
137KB

MD5
a135b9085fa8ef921eec14057b03125f

SHA1
4bf5ad5601da96ad4304f3d02b169868c972415d

SHA256
24aebc01eb25512c266cc73a1bf90a40b92e5924ddb94ba6db3be9aa89539ea3

SHA512
c7d4f74bedb81125a5ba42dad7be1dfa8220f1f5da96d61cc3e6b87fa9dd18217b9c6683ab6f16e0197084eead7db50df401d06a7ef4434038512d7d391effab

Download Submit
\Windows\Temp\top1.exe
Filesize
137KB

MD5
a135b9085fa8ef921eec14057b03125f

SHA1
4bf5ad5601da96ad4304f3d02b169868c972415d

SHA256
24aebc01eb25512c266cc73a1bf90a40b92e5924ddb94ba6db3be9aa89539ea3

SHA512
c7d4f74bedb81125a5ba42dad7be1dfa8220f1f5da96d61cc3e6b87fa9dd18217b9c6683ab6f16e0197084eead7db50df401d06a7ef4434038512d7d391effab

Download Submit
memory/1500-58-0x0000000000000000-mapping.dmp

Download
memory/1500-61-0x0000000000E40000-0x0000000000E68000-memory.dmp

Filesize
160KB

Download
memory/2024-54-0x00000000010A0000-0x0000000001106000-memory.dmp

Filesize
408KB

Download
memory/2024-55-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/2024-56-0x00000000006C0000-0x00000000006EA000-memory.dmp

Filesize
168KB

Download