Analysis
-
max time kernel
148s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2023 09:31
Static task
static1
Behavioral task
behavioral1
Sample
bf48f1d6ac29f4c0bf75c8f4abcb617d4b371c4691a50a421194a922c1c8f029.exe
Resource
win10v2004-20230220-en
General
-
Target
bf48f1d6ac29f4c0bf75c8f4abcb617d4b371c4691a50a421194a922c1c8f029.exe
-
Size
358KB
-
MD5
e075006fa6d80d2951e2d9797c9ca22e
-
SHA1
02cce516aaa4bf20f97ecb16815f7a7980641de2
-
SHA256
bf48f1d6ac29f4c0bf75c8f4abcb617d4b371c4691a50a421194a922c1c8f029
-
SHA512
ddce18ba61c94285ac47f890f1f2e95e5734440ce9588b7f06a424bac9a0d4750782cc0a12d6553c4508164b5bdf0654dd3b98279ac481cb0564eb8cb932a20c
-
SSDEEP
6144:ZTL2hv9cnsU4PN/76yRcX1rt6CoE+iOQUk:ZTqhv9cnZuNOcSGbD
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/4940-136-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-137-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-139-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-141-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-143-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-145-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-149-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-147-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-152-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-155-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-157-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-159-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-161-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-163-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-165-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-167-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-169-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-171-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-173-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-175-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-177-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-179-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-181-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-183-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-185-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-187-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-189-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-191-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-193-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-195-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-197-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-199-0x0000000002810000-0x0000000002862000-memory.dmp family_redline behavioral1/memory/4940-201-0x0000000002810000-0x0000000002862000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3676 4940 WerFault.exe 85 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4940 bf48f1d6ac29f4c0bf75c8f4abcb617d4b371c4691a50a421194a922c1c8f029.exe 4940 bf48f1d6ac29f4c0bf75c8f4abcb617d4b371c4691a50a421194a922c1c8f029.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4940 bf48f1d6ac29f4c0bf75c8f4abcb617d4b371c4691a50a421194a922c1c8f029.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf48f1d6ac29f4c0bf75c8f4abcb617d4b371c4691a50a421194a922c1c8f029.exe"C:\Users\Admin\AppData\Local\Temp\bf48f1d6ac29f4c0bf75c8f4abcb617d4b371c4691a50a421194a922c1c8f029.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 12242⤵
- Program crash
PID:3676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4940 -ip 49401⤵PID:5088