Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
12-06-2023 04:39
Behavioral task
behavioral1
Sample
f8086505.exe
Resource
win7-20230220-en
General
-
Target
f8086505.exe
-
Size
172KB
-
MD5
6a5722a1874b3243058b54c30ecf7992
-
SHA1
2132375423ecf7c3b9a396abb9cf32e6b4dcc143
-
SHA256
a315335b3aa261cfb29b4198d9aee51202cce30efb1d184f4d8f943ec5f769d5
-
SHA512
0f0a2ea7d32cd49938bacbc2975c9e5159ce250c1beb16b5b779e1ff3bfc74a5c4ce37369b380ee66fe330a254b4caf7cd127c8bc9e299241e4796b4708f3458
-
SSDEEP
3072:qhiSbCnywYdhlHTzBQxNVGVbtlQn8e8hX:UiSbVFp22lQn
Malware Config
Extracted
redline
doro
83.97.73.129:19068
-
auth_value
03f411441fb3fa233179c2cc8ffbce27
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f8086505.exepid process 1244 f8086505.exe 1244 f8086505.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f8086505.exedescription pid process Token: SeDebugPrivilege 1244 f8086505.exe