Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 18:26
Behavioral task
behavioral1
Sample
898f61de806302b411cb94d53aa9493a599038a8e1dd8.exe
Resource
win7-20220812-en
General
-
Target
898f61de806302b411cb94d53aa9493a599038a8e1dd8.exe
-
Size
175KB
-
MD5
1f2c3b82599a2c08b71927d14161a891
-
SHA1
bb2cd9f22ff5f4125602eae38fe738df4efdfd08
-
SHA256
898f61de806302b411cb94d53aa9493a599038a8e1dd8ccc03801835e018cca1
-
SHA512
68a8b8e7b64babe0f73e92ca2ab3c933c23d1ac77c7b4de835ca42c24205b3202a4211c979bbba0a5e045f51a175307dd1caa7256cf02b47a5f0ea3456ee2106
-
SSDEEP
3072:ZxqZWZRanU2n0G5ze159ChHTxNn2pU9f2MKTV/wi4lr55R9TxlnsPsUw0jOuw+cU:LqZg8sCh
Malware Config
Extracted
redline
new1
176.113.115.16:4122
-
auth_value
ac44cbde6633acc9d67419c7278d5c70
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
898f61de806302b411cb94d53aa9493a599038a8e1dd8.exepid process 656 898f61de806302b411cb94d53aa9493a599038a8e1dd8.exe 656 898f61de806302b411cb94d53aa9493a599038a8e1dd8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
898f61de806302b411cb94d53aa9493a599038a8e1dd8.exedescription pid process Token: SeDebugPrivilege 656 898f61de806302b411cb94d53aa9493a599038a8e1dd8.exe