Analysis
-
max time kernel
47s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
23-11-2022 13:35
General
-
Target
096eb357e1d8c5141282b72929ae77e9.exe
-
Size
666KB
-
MD5
096eb357e1d8c5141282b72929ae77e9
-
SHA1
1eff9fa176bf1744c56f996442755221e3147427
-
SHA256
f3f7fa2e6ad4bfa9c3ab22fbe8056d8d1d9cb8a2c0221dd094892027ce1fed4e
-
SHA512
445985159f5d9a553c2591572f56faafdc1509b73a6e309d5ac58888eacabbf6633237771aacf16c4bb1d5bf06b8d11c7aa9324d09f74a3a9a69050391a651ae
-
SSDEEP
6144:81KMo5oZQj/nnj6dWwsoyyQU/R8MqOwz14094BMDq+W9EE:87ij/nnch3yOjc1F94eiEE
Malware Config
Extracted
redline
Lyla4.22.11
185.215.113.216:21921
-
auth_value
f7fecd92e1cc04a774215731b3bf2e9a
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\096eb357e1d8c5141282b72929ae77e9.exe"C:\Users\Admin\AppData\Local\Temp\096eb357e1d8c5141282b72929ae77e9.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\Lyla42211.exe"C:\Windows\Temp\Lyla42211.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD5396be02b5a8968f891420ecaf7831bcc
SHA127417d7d14690697ecaa8fb1ff51da860492946e
SHA2562b20128923b2d4372e4f5c6a4803fef3fe26cd666e82598133d39088530b5e7f
SHA51248314fd91396611f17440336d297f9aa9d7a6ffb2855100e3d91e3c656ed0dcc926c57e7f3929ea00e38d852c59641edb360713225273f9ba9250c1c7c5028d0
-
Filesize
200KB
MD5396be02b5a8968f891420ecaf7831bcc
SHA127417d7d14690697ecaa8fb1ff51da860492946e
SHA2562b20128923b2d4372e4f5c6a4803fef3fe26cd666e82598133d39088530b5e7f
SHA51248314fd91396611f17440336d297f9aa9d7a6ffb2855100e3d91e3c656ed0dcc926c57e7f3929ea00e38d852c59641edb360713225273f9ba9250c1c7c5028d0
-
Filesize
200KB
MD5396be02b5a8968f891420ecaf7831bcc
SHA127417d7d14690697ecaa8fb1ff51da860492946e
SHA2562b20128923b2d4372e4f5c6a4803fef3fe26cd666e82598133d39088530b5e7f
SHA51248314fd91396611f17440336d297f9aa9d7a6ffb2855100e3d91e3c656ed0dcc926c57e7f3929ea00e38d852c59641edb360713225273f9ba9250c1c7c5028d0
-
-
Filesize
216KB
-
Filesize
688KB
-
Filesize
8KB
-
Filesize
232KB