Analysis
-
max time kernel
36s -
max time network
39s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 16:46
Behavioral task
behavioral1
Sample
3FEAE453D474140F7DE8FD150226F3A892083C74D5CFA.exe
Resource
win7-20221111-en
General
-
Target
3FEAE453D474140F7DE8FD150226F3A892083C74D5CFA.exe
-
Size
95KB
-
MD5
5a5346678e26c7e1870d66705bc9bbb8
-
SHA1
caac1c81e8d33761edfba8712402e7ba9b223c95
-
SHA256
3feae453d474140f7de8fd150226f3a892083c74d5cfa760cae6bb4751375683
-
SHA512
cb3635edb95190b678a977ad3e11e5d99eb5605b2d935b48be88638750d328801a5c728a0d41ee760a5bd807ff88dda5560ecb5d4f6dc839712ac64ce948e176
-
SSDEEP
1536:Vqsm5qeUlbG6jejoigI843Ywzi0Zb78ivombfexv0ujXyyed2b3tmulgS6pA:TKlMY8+zi0ZbYe1g0ujyzdDA
Malware Config
Extracted
redline
cheat
design-invited.at.ply.gg:23426
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/976-54-0x0000000000C90000-0x0000000000CAE000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/976-54-0x0000000000C90000-0x0000000000CAE000-memory.dmp family_sectoprat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3FEAE453D474140F7DE8FD150226F3A892083C74D5CFA.exepid process 976 3FEAE453D474140F7DE8FD150226F3A892083C74D5CFA.exe 976 3FEAE453D474140F7DE8FD150226F3A892083C74D5CFA.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3FEAE453D474140F7DE8FD150226F3A892083C74D5CFA.exedescription pid process Token: SeDebugPrivilege 976 3FEAE453D474140F7DE8FD150226F3A892083C74D5CFA.exe