Analysis
-
max time kernel
28s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25-03-2023 14:44
Static task
static1
Behavioral task
behavioral1
Sample
3c62500496bfc4f35d38ddbe71be78c2.exe
Resource
win7-20230220-en
General
-
Target
3c62500496bfc4f35d38ddbe71be78c2.exe
-
Size
895KB
-
MD5
3c62500496bfc4f35d38ddbe71be78c2
-
SHA1
4982a2fb4963f1f574a9ee1e5d02c429148c5e70
-
SHA256
dc980114d28ff6a6743bf6951527b33e43ee1e72d254d6a46cc2049ce0eba165
-
SHA512
d71935afa0f1f3e5c6a291b09b20a020ea6b73ec181f22520f0dd35306f9357c229e6dad17956657c935a455403efb308f224444a06821c414d0c395f484cd4c
-
SSDEEP
12288:YGKSH3TvrnDfbXzhL/gWmmfsMsNWUZV8le27t7mZOljg5fAQTQWtGCgd1ScnQMy://kGCg2+QG9Sts
Malware Config
Extracted
redline
Cong
199.115.193.171:48258
-
auth_value
aecbeec46b8431628af8ba12e4621a71
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
3c62500496bfc4f35d38ddbe71be78c2.exedescription pid process target process PID 1388 set thread context of 1364 1388 3c62500496bfc4f35d38ddbe71be78c2.exe 3c62500496bfc4f35d38ddbe71be78c2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3c62500496bfc4f35d38ddbe71be78c2.exepid process 1364 3c62500496bfc4f35d38ddbe71be78c2.exe 1364 3c62500496bfc4f35d38ddbe71be78c2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3c62500496bfc4f35d38ddbe71be78c2.exedescription pid process Token: SeDebugPrivilege 1364 3c62500496bfc4f35d38ddbe71be78c2.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3c62500496bfc4f35d38ddbe71be78c2.exedescription pid process target process PID 1388 wrote to memory of 1364 1388 3c62500496bfc4f35d38ddbe71be78c2.exe 3c62500496bfc4f35d38ddbe71be78c2.exe PID 1388 wrote to memory of 1364 1388 3c62500496bfc4f35d38ddbe71be78c2.exe 3c62500496bfc4f35d38ddbe71be78c2.exe PID 1388 wrote to memory of 1364 1388 3c62500496bfc4f35d38ddbe71be78c2.exe 3c62500496bfc4f35d38ddbe71be78c2.exe PID 1388 wrote to memory of 1364 1388 3c62500496bfc4f35d38ddbe71be78c2.exe 3c62500496bfc4f35d38ddbe71be78c2.exe PID 1388 wrote to memory of 1364 1388 3c62500496bfc4f35d38ddbe71be78c2.exe 3c62500496bfc4f35d38ddbe71be78c2.exe PID 1388 wrote to memory of 1364 1388 3c62500496bfc4f35d38ddbe71be78c2.exe 3c62500496bfc4f35d38ddbe71be78c2.exe PID 1388 wrote to memory of 1364 1388 3c62500496bfc4f35d38ddbe71be78c2.exe 3c62500496bfc4f35d38ddbe71be78c2.exe PID 1388 wrote to memory of 1364 1388 3c62500496bfc4f35d38ddbe71be78c2.exe 3c62500496bfc4f35d38ddbe71be78c2.exe PID 1388 wrote to memory of 1364 1388 3c62500496bfc4f35d38ddbe71be78c2.exe 3c62500496bfc4f35d38ddbe71be78c2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c62500496bfc4f35d38ddbe71be78c2.exe"C:\Users\Admin\AppData\Local\Temp\3c62500496bfc4f35d38ddbe71be78c2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3c62500496bfc4f35d38ddbe71be78c2.exeC:\Users\Admin\AppData\Local\Temp\3c62500496bfc4f35d38ddbe71be78c2.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1364-56-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1364-58-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1364-60-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1364-61-0x0000000000360000-0x00000000003A0000-memory.dmpFilesize
256KB
-
memory/1388-54-0x00000000010D0000-0x00000000011B6000-memory.dmpFilesize
920KB
-
memory/1388-55-0x0000000004CF0000-0x0000000004D30000-memory.dmpFilesize
256KB