Analysis
-
max time kernel
28s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17-03-2023 15:11
Behavioral task
behavioral1
Sample
263d1a091eafd115e0f9f2e408df14b7ce5e1f06c3ad6.exe
Resource
win7-20230220-en
General
-
Target
263d1a091eafd115e0f9f2e408df14b7ce5e1f06c3ad6.exe
-
Size
175KB
-
MD5
0191cb1f788338484c31712a343f0b52
-
SHA1
f78ef09e96fa492639253bb10d0153f0f27053a9
-
SHA256
263d1a091eafd115e0f9f2e408df14b7ce5e1f06c3ad66e01819d2f7a9a539cb
-
SHA512
f894517f6629a01e673ae82e339f9aa364eb4ca0f5f42e0a8fcdad31fdb22a0a3a64d749723c2965a441361f805ba598375cdfef281e2c8a06c4616caed47004
-
SSDEEP
3072:nxqZWpZaPkOQ3xxW3l0weBFFuh/jxNn2pU9f2MKTV/wi4lr55R9TxlnsPsUw0jOi:xqZwxxW1Cuh
Malware Config
Extracted
redline
Redline
85.31.54.181:43728
-
auth_value
1666a0a46296c430de7ba5e70bd0c0f3
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
263d1a091eafd115e0f9f2e408df14b7ce5e1f06c3ad6.exepid process 1148 263d1a091eafd115e0f9f2e408df14b7ce5e1f06c3ad6.exe 1148 263d1a091eafd115e0f9f2e408df14b7ce5e1f06c3ad6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
263d1a091eafd115e0f9f2e408df14b7ce5e1f06c3ad6.exedescription pid process Token: SeDebugPrivilege 1148 263d1a091eafd115e0f9f2e408df14b7ce5e1f06c3ad6.exe