Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 12:46
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20231215-en
General
-
Target
file.exe
-
Size
383KB
-
MD5
4dc62aa51086843a31d87236c87f21e4
-
SHA1
c7cdc373668dd8f7373a433ed0f3703843b67c10
-
SHA256
5a1a04657de632f044fcf0f4b089686de18840fa979a8265d8f9978f4feb5d27
-
SHA512
a876f4404d3be84ff8c36bd1005d844b0c22630cafb34631db7b07009c95f6564864a6811bb1b45ac415a64000748cb1626aa367d3deb8b616b6633bfde06658
-
SSDEEP
6144:4TDPRqvaD9nM07ZX1SpbCVHfBwoxHdHylxT8MSe1YpWEwuSoh:W9nP1XIm/BvxcxlSOw8uSoh
Malware Config
Extracted
redline
LiveTraffic
20.113.35.45:38357
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2196-7-0x0000000000400000-0x0000000000454000-memory.dmp family_redline behavioral1/memory/2196-8-0x0000000000400000-0x0000000000454000-memory.dmp family_redline behavioral1/memory/2196-11-0x0000000000400000-0x0000000000454000-memory.dmp family_redline behavioral1/memory/2196-13-0x0000000000400000-0x0000000000454000-memory.dmp family_redline behavioral1/memory/2196-16-0x0000000000400000-0x0000000000454000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2268 set thread context of 2196 2268 file.exe 28 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2196 RegAsm.exe 2196 RegAsm.exe 2196 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2196 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2196 2268 file.exe 28 PID 2268 wrote to memory of 2196 2268 file.exe 28 PID 2268 wrote to memory of 2196 2268 file.exe 28 PID 2268 wrote to memory of 2196 2268 file.exe 28 PID 2268 wrote to memory of 2196 2268 file.exe 28 PID 2268 wrote to memory of 2196 2268 file.exe 28 PID 2268 wrote to memory of 2196 2268 file.exe 28 PID 2268 wrote to memory of 2196 2268 file.exe 28 PID 2268 wrote to memory of 2196 2268 file.exe 28 PID 2268 wrote to memory of 2196 2268 file.exe 28 PID 2268 wrote to memory of 2196 2268 file.exe 28 PID 2268 wrote to memory of 2196 2268 file.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-