Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 15:35
Behavioral task
behavioral1
Sample
02544999.exe
Resource
win7-20230220-en
General
-
Target
02544999.exe
-
Size
172KB
-
MD5
7c412cfbd52a7cdc085f22d008303140
-
SHA1
97b64b26e4ae34360f4642b823e1a2d66d3be7d7
-
SHA256
0adfdaf7ffac50f3e5bfebe95f1a33552447ca7d800080f767f9b3b8d1780135
-
SHA512
84f4b21f1df6cef5b39ca541af4a5615d8e9d6ef2749454a04fd65cdfd9b2179697417987cdc57584611405505fb54dd64a632f23108d0bb664b13ed67e6cb22
-
SSDEEP
3072:QBF8QOIKbe97H9rWRxNB2NjrOSHy+8e8hg:q8MVdaHMOSHy+
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
02544999.exepid process 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe 4924 02544999.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
02544999.exedescription pid process Token: SeDebugPrivilege 4924 02544999.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4924-133-0x00000000001F0000-0x0000000000220000-memory.dmpFilesize
192KB
-
memory/4924-134-0x000000000A680000-0x000000000AC98000-memory.dmpFilesize
6.1MB
-
memory/4924-135-0x000000000A170000-0x000000000A27A000-memory.dmpFilesize
1.0MB
-
memory/4924-136-0x0000000004CD0000-0x0000000004CE0000-memory.dmpFilesize
64KB
-
memory/4924-137-0x000000000A0A0000-0x000000000A0B2000-memory.dmpFilesize
72KB
-
memory/4924-138-0x000000000A100000-0x000000000A13C000-memory.dmpFilesize
240KB
-
memory/4924-139-0x000000000A410000-0x000000000A486000-memory.dmpFilesize
472KB
-
memory/4924-140-0x000000000A530000-0x000000000A5C2000-memory.dmpFilesize
584KB
-
memory/4924-141-0x000000000B250000-0x000000000B7F4000-memory.dmpFilesize
5.6MB
-
memory/4924-142-0x000000000A5D0000-0x000000000A636000-memory.dmpFilesize
408KB
-
memory/4924-143-0x000000000AE10000-0x000000000AE60000-memory.dmpFilesize
320KB
-
memory/4924-144-0x000000000B9D0000-0x000000000BB92000-memory.dmpFilesize
1.8MB
-
memory/4924-145-0x000000000C0D0000-0x000000000C5FC000-memory.dmpFilesize
5.2MB
-
memory/4924-146-0x0000000004CD0000-0x0000000004CE0000-memory.dmpFilesize
64KB