Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-03-2024 07:01
Behavioral task
behavioral1
Sample
virussign.com_324cd2aa01131d3419364aef51cd95c2.exe
Resource
win7-20240221-en
General
-
Target
virussign.com_324cd2aa01131d3419364aef51cd95c2.exe
-
Size
297KB
-
MD5
324cd2aa01131d3419364aef51cd95c2
-
SHA1
bf31fe4a25cd9a83d59c03f6718a54838385ec3a
-
SHA256
53896a28c864d9849469b0d71efcb5ae0063f8b13c9bad6cfa040218b3de5a2d
-
SHA512
fea172b15721a761432b2e7db8919cd8ab8ae87c63e9a493864ccbc9a6f4d6bf793bd5bfa9eb26fe0ee075a1c8728383c5f672695a91cd84b67b0d845fccce11
-
SSDEEP
3072:nqFFrqwIOGaHy9MGSwTc4klV4w5qv65TlacJTrcfHIicZqf7D34deqiOLCbBOyj:qBIOGu4kcw5hlVJTrqzcZqf7DInLC
Malware Config
Extracted
redline
SomeOne
67.203.7.148:2909
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4700-0-0x0000000000690000-0x00000000006E0000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
virussign.com_324cd2aa01131d3419364aef51cd95c2.exepid process 4700 virussign.com_324cd2aa01131d3419364aef51cd95c2.exe 4700 virussign.com_324cd2aa01131d3419364aef51cd95c2.exe 4700 virussign.com_324cd2aa01131d3419364aef51cd95c2.exe 4700 virussign.com_324cd2aa01131d3419364aef51cd95c2.exe 4700 virussign.com_324cd2aa01131d3419364aef51cd95c2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
virussign.com_324cd2aa01131d3419364aef51cd95c2.exedescription pid process Token: SeDebugPrivilege 4700 virussign.com_324cd2aa01131d3419364aef51cd95c2.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4700-0-0x0000000000690000-0x00000000006E0000-memory.dmpFilesize
320KB
-
memory/4700-1-0x00000000751C0000-0x0000000075970000-memory.dmpFilesize
7.7MB
-
memory/4700-2-0x0000000005740000-0x0000000005CE4000-memory.dmpFilesize
5.6MB
-
memory/4700-3-0x0000000005090000-0x0000000005122000-memory.dmpFilesize
584KB
-
memory/4700-4-0x0000000005020000-0x0000000005030000-memory.dmpFilesize
64KB
-
memory/4700-5-0x0000000005150000-0x000000000515A000-memory.dmpFilesize
40KB
-
memory/4700-6-0x0000000006310000-0x0000000006928000-memory.dmpFilesize
6.1MB
-
memory/4700-7-0x0000000005410000-0x000000000551A000-memory.dmpFilesize
1.0MB
-
memory/4700-8-0x0000000005330000-0x0000000005342000-memory.dmpFilesize
72KB
-
memory/4700-9-0x0000000005390000-0x00000000053CC000-memory.dmpFilesize
240KB
-
memory/4700-10-0x0000000005520000-0x000000000556C000-memory.dmpFilesize
304KB
-
memory/4700-11-0x0000000005690000-0x00000000056F6000-memory.dmpFilesize
408KB
-
memory/4700-12-0x0000000006C00000-0x0000000006DC2000-memory.dmpFilesize
1.8MB
-
memory/4700-13-0x0000000007300000-0x000000000782C000-memory.dmpFilesize
5.2MB
-
memory/4700-14-0x0000000007880000-0x00000000078D0000-memory.dmpFilesize
320KB
-
memory/4700-16-0x00000000751C0000-0x0000000075970000-memory.dmpFilesize
7.7MB