Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
29-01-2023 21:24
General
-
Target
file.exe
-
Size
175KB
-
MD5
2d0151747adb6fdee710037a405e1b54
-
SHA1
07a5328ee173fc22ef8432d362422c09f30b70bf
-
SHA256
df2d0a6a35f6653c8e5e2e3e8d7184b39c490b0e8b091ad85428aa47165ccbf0
-
SHA512
4cd57d565526b1da86bdf5388376e29053727f391bceb94e8e0470946d2381a9624e5e3ae266bb4cf76d22a1f3933a6b334a98281d866f681d96e88e4bb19212
-
SSDEEP
3072:ExqZWdNaDUSkPupeUaUwxe4q9dhQ3xNn2pU9f2MKTV/wi4lr55R9TxlnsPsUw0jn:aqZUupeLnUdh
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
Meta
C2
170.187.197.210:47271
Attributes
-
auth_value
01ac374fd5de16cd3ec0cb7fce77600f
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1356-54-0x0000000000D30000-0x0000000000D62000-memory.dmpFilesize
200KB
-
memory/1356-55-0x0000000076711000-0x0000000076713000-memory.dmpFilesize
8KB