Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
18-01-2024 15:35
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231215-en
General
-
Target
file.exe
-
Size
95KB
-
MD5
7b63bc67f8cfe9bc22c438385ba58006
-
SHA1
eae4091ee9dcf2053f5ada8a1fd53a8b5fa141d3
-
SHA256
e87c2e0db6b9afb310b006c90c48b066d4b1aa79184ae81c87d26076993cd6a0
-
SHA512
2f7a671670d9f49f3677789412aad814f3097b43460fe4dda6a285d2f6a6f22821aa1bb3ad1c3fe92a83c029c2953aeb061f0efef63c3fec1134dfe99a3d53db
-
SSDEEP
1536:9qs+NqLGlbG6jejoigI343Ywzi0Zb78ivombfexv0ujXyyed2ZteulgS6pY:rqMOY3+zi0ZbYe1g0ujyzddY
Malware Config
Extracted
redline
Exodus
91.92.252.249:1334
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1280-0-0x00000000001D0000-0x00000000001EE000-memory.dmp family_redline behavioral1/memory/1280-2-0x0000000000770000-0x00000000007B0000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1280-0-0x00000000001D0000-0x00000000001EE000-memory.dmp family_sectoprat behavioral1/memory/1280-2-0x0000000000770000-0x00000000007B0000-memory.dmp family_sectoprat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
file.exepid process 1280 file.exe 1280 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
file.exedescription pid process Token: SeDebugPrivilege 1280 file.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Cab55B0.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar56AD.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\tmp58C4.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp58EA.tmpFilesize
92KB
MD51f41b636612a51a6b6a30216ebdd03d8
SHA1cea0aba5d98bed1a238006a598214637e1837f3b
SHA25634e9cb63f4457035e2112ba72a9ea952b990947c9dc8fb7303f4d25735f2c81c
SHA51205377e24e0077208a09550b7a35a14c3f96d14013aadee71f377450cb3a13ea70a2b85f6af201e1c9502fc1c33e243b1de09de60313fb5be61bc12f6efe57ca8
-
memory/1280-0-0x00000000001D0000-0x00000000001EE000-memory.dmpFilesize
120KB
-
memory/1280-1-0x00000000749C0000-0x00000000750AE000-memory.dmpFilesize
6.9MB
-
memory/1280-2-0x0000000000770000-0x00000000007B0000-memory.dmpFilesize
256KB
-
memory/1280-121-0x00000000749C0000-0x00000000750AE000-memory.dmpFilesize
6.9MB
-
memory/1280-122-0x0000000000770000-0x00000000007B0000-memory.dmpFilesize
256KB
-
memory/1280-123-0x00000000749C0000-0x00000000750AE000-memory.dmpFilesize
6.9MB