Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28/12/2022, 18:29
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
General
-
Target
tmp.exe
-
Size
403KB
-
MD5
3229c8c943f3a2ba40334e2b1240d0d8
-
SHA1
d214944064dd7d5ebed41f514013f297feff8109
-
SHA256
de7c689d14ca60ffa4258d96b7b8911180aaaa5668bc9785ba27b3cdb44a28a2
-
SHA512
779590ffcd0261fb9521257cbf76b04311d3a4481766636abdc0cf153981ef5cc769df4691b0575ce5b4ad9062feb97899d18ffc8a110946ba5a436f78306df4
-
SSDEEP
12288:tOLqlkXPbWqJrmzVUOenhSHPe0wnVZH9P3:QqgWqRmQhSHm0wFP
Malware Config
Extracted
redline
Post
138.124.180.186:39614
-
auth_value
4bda2ce09764851c19dedd9d8ed8328e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/1360-54-0x0000000001D10000-0x0000000001D56000-memory.dmp family_redline behavioral1/memory/1360-55-0x0000000001E80000-0x0000000001EC4000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1360 tmp.exe 1360 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1360 tmp.exe