redline | b205d934150c3148b352e89367e4ef899822454d9a54cc57602b54c26bda7278

Analysis

max time kernel
195s
max time network
210s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
12/02/2023, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Soft/Installer.exe
Size

533.1MB
MD5

a2c5f3a8b6bf9b2755107296705606ea
SHA1

469e621c7fa66ae1c4ab5aeb62f2cecc51c62232
SHA256

9dbba8fe1bb28f186aa36af8ef5daebdd078c485cf9539927e5848a28faf6377
SHA512

f3700987ba04afeba1f9614bbbdc721cfbcd127108e4177c3373f8d8a2b9c3f99d875ddfb5c8c9fc60aac754ad58ef40c8a21c4847805290c7859286d51fc8fb
SSDEEP

6144:0CCF4KsWTQZdKUSwinRHHKCKizMIuIhbZiDDTM/:jK4TM/

Score

10^/10

redline newz0rm1on discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

newz0rm1on

82.115.223.77:38358

Attributes

auth_value
8166a4b9c70505f13b3ba63710a27a5f

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
596	Installer.exe
596	Installer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	596	Installer.exe

C:\Users\Admin\AppData\Local\Temp\New Soft\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\New Soft\Installer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/596-54-0x0000000000C70000-0x0000000000D5C000-memory.dmp

Filesize
944KB

Download
memory/596-55-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/596-56-0x0000000000A00000-0x0000000000A32000-memory.dmp

Filesize
200KB

Download
memory/596-57-0x0000000000960000-0x0000000000996000-memory.dmp

Filesize
216KB

Download