Analysis
-
max time kernel
78s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2023, 20:57
Static task
static1
Behavioral task
behavioral1
Sample
42f248f1ceb9e3099ae6b7ed6ad1870e266de9ad90cdd1a1525b12c715ba8c8a.exe
Resource
win10v2004-20230221-en
General
-
Target
42f248f1ceb9e3099ae6b7ed6ad1870e266de9ad90cdd1a1525b12c715ba8c8a.exe
-
Size
408KB
-
MD5
0265ca982e0a0d86229b26988dbfeafa
-
SHA1
7dfee796680005995b73137914460eade708c5c7
-
SHA256
42f248f1ceb9e3099ae6b7ed6ad1870e266de9ad90cdd1a1525b12c715ba8c8a
-
SHA512
ed8680b957a17f30f8c727485fc2830419e270fc5f07400bee93a874cb5b4fe70608c46508a0bf009c3138867284582f245709e9544983e74df162f83100130a
-
SSDEEP
6144:MRkFL+bDWuQkaz8fFzbjUbAYuyoLfX9WnjLyQHvs5hrQX6+wc:MCabaVkCedUcYuzbkPGQXN
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/4912-136-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-137-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-139-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-141-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-143-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-145-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-149-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-152-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-154-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-156-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-158-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-160-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-162-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-164-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-166-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-168-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-170-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-172-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-174-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-176-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-178-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-180-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-182-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-184-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-186-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-188-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-190-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-192-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-194-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-196-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-198-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-200-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline behavioral1/memory/4912-202-0x0000000007980000-0x00000000079D2000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3324 4912 WerFault.exe 84 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4912 42f248f1ceb9e3099ae6b7ed6ad1870e266de9ad90cdd1a1525b12c715ba8c8a.exe 4912 42f248f1ceb9e3099ae6b7ed6ad1870e266de9ad90cdd1a1525b12c715ba8c8a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4912 42f248f1ceb9e3099ae6b7ed6ad1870e266de9ad90cdd1a1525b12c715ba8c8a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42f248f1ceb9e3099ae6b7ed6ad1870e266de9ad90cdd1a1525b12c715ba8c8a.exe"C:\Users\Admin\AppData\Local\Temp\42f248f1ceb9e3099ae6b7ed6ad1870e266de9ad90cdd1a1525b12c715ba8c8a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 12202⤵
- Program crash
PID:3324
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4912 -ip 49121⤵PID:3736