Analysis
-
max time kernel
91s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2023 05:41
Static task
static1
Behavioral task
behavioral1
Sample
8f3e21d3d15b6ea17b573452d7857c16.exe
Resource
win7-20230220-en
General
-
Target
8f3e21d3d15b6ea17b573452d7857c16.exe
-
Size
1.7MB
-
MD5
8f3e21d3d15b6ea17b573452d7857c16
-
SHA1
3fbde3bd6f2f2001b8cd242cd9d68307fd140f9c
-
SHA256
14357575e409e06a45243465cd697a6c22f847968fcec7e5cd9238aa9419777c
-
SHA512
b8509127717de92eec70d9ef716192fa73c2b1bd2e5fe2c04f62cf9f6b87ef208da919eaee6fcf00ffe37008e6aedd58edbd4404aae62378346fa2ab9519b324
-
SSDEEP
12288:n0Hef2besfNRcrPNWdLBOr8GN54GiSdeiFIblEIwoZEsDbqhuhDW:Wl60wJ
Malware Config
Extracted
redline
build1
101.99.93.194:28049
-
auth_value
d9b4859f9090a89a831ab84ed61a9faf
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
8f3e21d3d15b6ea17b573452d7857c16.exedescription pid process target process PID 3760 set thread context of 4200 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 8f3e21d3d15b6ea17b573452d7857c16.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8f3e21d3d15b6ea17b573452d7857c16.exepid process 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 3760 8f3e21d3d15b6ea17b573452d7857c16.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8f3e21d3d15b6ea17b573452d7857c16.exe8f3e21d3d15b6ea17b573452d7857c16.exedescription pid process Token: SeDebugPrivilege 3760 8f3e21d3d15b6ea17b573452d7857c16.exe Token: SeDebugPrivilege 4200 8f3e21d3d15b6ea17b573452d7857c16.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8f3e21d3d15b6ea17b573452d7857c16.exedescription pid process target process PID 3760 wrote to memory of 4200 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 8f3e21d3d15b6ea17b573452d7857c16.exe PID 3760 wrote to memory of 4200 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 8f3e21d3d15b6ea17b573452d7857c16.exe PID 3760 wrote to memory of 4200 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 8f3e21d3d15b6ea17b573452d7857c16.exe PID 3760 wrote to memory of 4200 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 8f3e21d3d15b6ea17b573452d7857c16.exe PID 3760 wrote to memory of 4200 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 8f3e21d3d15b6ea17b573452d7857c16.exe PID 3760 wrote to memory of 4200 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 8f3e21d3d15b6ea17b573452d7857c16.exe PID 3760 wrote to memory of 4200 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 8f3e21d3d15b6ea17b573452d7857c16.exe PID 3760 wrote to memory of 4200 3760 8f3e21d3d15b6ea17b573452d7857c16.exe 8f3e21d3d15b6ea17b573452d7857c16.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f3e21d3d15b6ea17b573452d7857c16.exe"C:\Users\Admin\AppData\Local\Temp\8f3e21d3d15b6ea17b573452d7857c16.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\8f3e21d3d15b6ea17b573452d7857c16.exe"C:\Users\Admin\AppData\Local\Temp\8f3e21d3d15b6ea17b573452d7857c16.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8f3e21d3d15b6ea17b573452d7857c16.exe.log
Filesize1KB
MD5568cff9ba1570565b45bf9ef7e636f7f
SHA1d07d800e4334c2566181d3fcf9d644512a5a992e
SHA256b094cb1ef7da4d1a6ed0b9dc687619033e44b960f4be00652a46fe945398bc09
SHA512623e2fc4ba85f3465744dcd3e52cfa9e83009d18d5a8f4239842b2ddd0b0c91cd447072f7844cd9e6f8ef571f38743b22820f5cc741f9e55823d241146f9830b