Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
741f858f958dbf16c5eba258ebf662a13a028d215fc12aec3eaef0c715bd496a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
741f858f958dbf16c5eba258ebf662a13a028d215fc12aec3eaef0c715bd496a.exe
Resource
win10v2004-20231215-en
General
-
Target
741f858f958dbf16c5eba258ebf662a13a028d215fc12aec3eaef0c715bd496a.exe
-
Size
373KB
-
MD5
ce91f8404dc12c587a5bd02ce1079e34
-
SHA1
27882df4f5c0152b8d931f28e1df1608dd385ff9
-
SHA256
741f858f958dbf16c5eba258ebf662a13a028d215fc12aec3eaef0c715bd496a
-
SHA512
fbda65c8b46f3909ed2c3bddb94c088a6ea95ea4fad3f4599700fc35e1c245177903edb7a5ef9939c9403b46f0f050aa1201b87fe092933d663911f0ca9ad9ae
-
SSDEEP
6144:Q2kyf8q+lw7zU4AJAuNMe7OKpfJ1YIVYNE0q8JffQ4FErTrISfI5K3HWjOjXQL7y:Q2wMzUZJQe7fpfJaI2NEgff824qGi7y
Malware Config
Extracted
redline
@KillerBSC
45.15.156.167:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/3064-4-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4232 set thread context of 3064 4232 741f858f958dbf16c5eba258ebf662a13a028d215fc12aec3eaef0c715bd496a.exe 92 -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3064 RegAsm.exe 3064 RegAsm.exe 3064 RegAsm.exe 3064 RegAsm.exe 3064 RegAsm.exe 3064 RegAsm.exe 3064 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3064 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4232 wrote to memory of 3064 4232 741f858f958dbf16c5eba258ebf662a13a028d215fc12aec3eaef0c715bd496a.exe 92 PID 4232 wrote to memory of 3064 4232 741f858f958dbf16c5eba258ebf662a13a028d215fc12aec3eaef0c715bd496a.exe 92 PID 4232 wrote to memory of 3064 4232 741f858f958dbf16c5eba258ebf662a13a028d215fc12aec3eaef0c715bd496a.exe 92 PID 4232 wrote to memory of 3064 4232 741f858f958dbf16c5eba258ebf662a13a028d215fc12aec3eaef0c715bd496a.exe 92 PID 4232 wrote to memory of 3064 4232 741f858f958dbf16c5eba258ebf662a13a028d215fc12aec3eaef0c715bd496a.exe 92 PID 4232 wrote to memory of 3064 4232 741f858f958dbf16c5eba258ebf662a13a028d215fc12aec3eaef0c715bd496a.exe 92 PID 4232 wrote to memory of 3064 4232 741f858f958dbf16c5eba258ebf662a13a028d215fc12aec3eaef0c715bd496a.exe 92 PID 4232 wrote to memory of 3064 4232 741f858f958dbf16c5eba258ebf662a13a028d215fc12aec3eaef0c715bd496a.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\741f858f958dbf16c5eba258ebf662a13a028d215fc12aec3eaef0c715bd496a.exe"C:\Users\Admin\AppData\Local\Temp\741f858f958dbf16c5eba258ebf662a13a028d215fc12aec3eaef0c715bd496a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-