Analysis
-
max time kernel
48s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
21-11-2022 15:04
Static task
static1
Behavioral task
behavioral1
Sample
55b1fd7484074158f9e9e8f657ec5a94.exe
Resource
win7-20221111-en
General
-
Target
55b1fd7484074158f9e9e8f657ec5a94.exe
-
Size
385KB
-
MD5
55b1fd7484074158f9e9e8f657ec5a94
-
SHA1
6988125039cbf77b4ff06fa75fa56975004d3333
-
SHA256
92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22
-
SHA512
a7b292cc74578308b4c3d129809119a96c6522185e05ddaefb294ae6636894a145383140d23b1d3217f300ee63646d6f185fdb02dcbd9ab0ee5d840aa49b4de9
-
SSDEEP
12288:3fW6EQ0byZvdEnOuX9opfM99K0S+pOxOTEh25D:3fCbyZvdEnFX9op2KQKdhA
Malware Config
Extracted
redline
top1
chardhesha.xyz:81
jalocliche.xyz:81
-
auth_value
fa2afa98a6579319e36e31ee0552bd57
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2024-56-0x00000000006C0000-0x00000000006EA000-memory.dmp family_redline \Windows\Temp\top1.exe family_redline C:\Windows\Temp\top1.exe family_redline C:\Windows\Temp\top1.exe family_redline behavioral1/memory/1500-61-0x0000000000E40000-0x0000000000E68000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
top1.exepid process 1500 top1.exe -
Loads dropped DLL 1 IoCs
Processes:
55b1fd7484074158f9e9e8f657ec5a94.exepid process 2024 55b1fd7484074158f9e9e8f657ec5a94.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
top1.exepid process 1500 top1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
55b1fd7484074158f9e9e8f657ec5a94.exetop1.exedescription pid process Token: SeDebugPrivilege 2024 55b1fd7484074158f9e9e8f657ec5a94.exe Token: SeDebugPrivilege 1500 top1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
55b1fd7484074158f9e9e8f657ec5a94.exedescription pid process target process PID 2024 wrote to memory of 1500 2024 55b1fd7484074158f9e9e8f657ec5a94.exe top1.exe PID 2024 wrote to memory of 1500 2024 55b1fd7484074158f9e9e8f657ec5a94.exe top1.exe PID 2024 wrote to memory of 1500 2024 55b1fd7484074158f9e9e8f657ec5a94.exe top1.exe PID 2024 wrote to memory of 1500 2024 55b1fd7484074158f9e9e8f657ec5a94.exe top1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55b1fd7484074158f9e9e8f657ec5a94.exe"C:\Users\Admin\AppData\Local\Temp\55b1fd7484074158f9e9e8f657ec5a94.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\top1.exe"C:\Windows\Temp\top1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\top1.exeFilesize
137KB
MD5a135b9085fa8ef921eec14057b03125f
SHA14bf5ad5601da96ad4304f3d02b169868c972415d
SHA25624aebc01eb25512c266cc73a1bf90a40b92e5924ddb94ba6db3be9aa89539ea3
SHA512c7d4f74bedb81125a5ba42dad7be1dfa8220f1f5da96d61cc3e6b87fa9dd18217b9c6683ab6f16e0197084eead7db50df401d06a7ef4434038512d7d391effab
-
C:\Windows\Temp\top1.exeFilesize
137KB
MD5a135b9085fa8ef921eec14057b03125f
SHA14bf5ad5601da96ad4304f3d02b169868c972415d
SHA25624aebc01eb25512c266cc73a1bf90a40b92e5924ddb94ba6db3be9aa89539ea3
SHA512c7d4f74bedb81125a5ba42dad7be1dfa8220f1f5da96d61cc3e6b87fa9dd18217b9c6683ab6f16e0197084eead7db50df401d06a7ef4434038512d7d391effab
-
\Windows\Temp\top1.exeFilesize
137KB
MD5a135b9085fa8ef921eec14057b03125f
SHA14bf5ad5601da96ad4304f3d02b169868c972415d
SHA25624aebc01eb25512c266cc73a1bf90a40b92e5924ddb94ba6db3be9aa89539ea3
SHA512c7d4f74bedb81125a5ba42dad7be1dfa8220f1f5da96d61cc3e6b87fa9dd18217b9c6683ab6f16e0197084eead7db50df401d06a7ef4434038512d7d391effab
-
memory/1500-58-0x0000000000000000-mapping.dmp
-
memory/1500-61-0x0000000000E40000-0x0000000000E68000-memory.dmpFilesize
160KB
-
memory/2024-54-0x00000000010A0000-0x0000000001106000-memory.dmpFilesize
408KB
-
memory/2024-55-0x00000000760B1000-0x00000000760B3000-memory.dmpFilesize
8KB
-
memory/2024-56-0x00000000006C0000-0x00000000006EA000-memory.dmpFilesize
168KB