Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-01-2024 13:04
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231129-en
General
-
Target
file.exe
-
Size
95KB
-
MD5
3c78cef4203a47012167be0877274540
-
SHA1
8fba278e3fbcfcf5dffc871a92aa0a5a382edda8
-
SHA256
202ebcf24cd4b6a4394e7dddd7ee98bceb9ac2b8c281e9f4610c7a93dafaa959
-
SHA512
009391e72b23e5fd963a09dc1a91db37b9b0815cea80311333c8c7f52cb0c43095cc29b60d7db145b49006b7c2fdcdfda31e52c8f6ceeb7085c4dc615b3fae66
-
SSDEEP
1536:9qs+NqLGlbG6jejoigI343Ywzi0Zb78ivombfexv0ujXyyed2jteulgS6pY:rqMOY3+zi0ZbYe1g0ujyzdvY
Malware Config
Extracted
redline
Exodus
91.92.255.187:1334
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2124-0-0x0000000000DE0000-0x0000000000DFE000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2124-0-0x0000000000DE0000-0x0000000000DFE000-memory.dmp family_sectoprat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
file.exepid process 2124 file.exe 2124 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
file.exedescription pid process Token: SeDebugPrivilege 2124 file.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar1BFE.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\tmp21EA.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp2200.tmpFilesize
92KB
MD5b9858d49711b377343dad7336af34a75
SHA1807eee110edcaf45772bf902d32adfe72d7aa7e0
SHA25629796e50a6e69754ef1bb64d0dd9ca2e657c8de2843e06d689c0b5125c9d3ce3
SHA5129525413e6bf14f24f2dedccac36a153ddee2d88f3ee0ce87d8ac4cd3ea63d33fa439cf28d3e155e9e7be0d0856d0b01e2813dc67e890724c4cd71714490cff5d
-
memory/2124-0-0x0000000000DE0000-0x0000000000DFE000-memory.dmpFilesize
120KB
-
memory/2124-1-0x0000000074520000-0x0000000074C0E000-memory.dmpFilesize
6.9MB
-
memory/2124-2-0x00000000047D0000-0x0000000004810000-memory.dmpFilesize
256KB
-
memory/2124-3-0x0000000074520000-0x0000000074C0E000-memory.dmpFilesize
6.9MB
-
memory/2124-4-0x00000000047D0000-0x0000000004810000-memory.dmpFilesize
256KB