Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-03-2023 21:16
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
336KB
-
MD5
f8e0e6946af017037e8bb4d5455d4e99
-
SHA1
6691a0d551c3991fbe5f18147711e829616099bb
-
SHA256
4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f38d7fcc6d27a4e511d6e
-
SHA512
f2fa94c86c400ae894abc3d9fa7316ad47cf1bf4b039dd162cab13c1e4c29c68646919c2076804b885863dd15e79053ef378bdf996b030c6764c144eb36c6e93
-
SSDEEP
6144:/9iSw0wGzCUaIgYH/BwjL4rEwgGCHNUqsVwMS5ZVU3mgswg1st8WDx:/9iOZCUaKHFfVwMS5ZVU3mgswg1st8W9
Malware Config
Extracted
redline
14
45.12.253.144:40145
-
auth_value
6528d0f243ad9e530a68f2a487521a80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
tmp.exepid process 1708 tmp.exe 1708 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmp.exedescription pid process Token: SeDebugPrivilege 1708 tmp.exe