Overview
overview
10Static
static
3143e14de3a...c5.exe
windows10-2004-x64
1022c5bd0a3e...19.exe
windows10-2004-x64
10291dafd231...e9.exe
windows10-2004-x64
102e0a9b6a39...9b.exe
windows10-2004-x64
10499d652934...48.exe
windows7-x64
1499d652934...48.exe
windows10-2004-x64
14b8eb94185...c3.exe
windows10-2004-x64
104d09936a4a...bf.exe
windows10-2004-x64
104fbcb0a2f4...73.exe
windows10-2004-x64
1053ecffef24...36.exe
windows10-2004-x64
1059a57474eb...06.exe
windows10-2004-x64
1061f1416a77...2b.exe
windows10-2004-x64
106aec183a58...31.exe
windows10-2004-x64
107182994846...ce.exe
windows7-x64
37182994846...ce.exe
windows10-2004-x64
107506757ba8...b0.exe
windows10-2004-x64
1080ada740eb...52.exe
windows10-2004-x64
109e8418826f...52.exe
windows10-2004-x64
10a898d72b49...84.exe
windows10-2004-x64
10e6baad5a7e...5c.exe
windows10-2004-x64
10ea3dd01036...9e.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 15:28
Static task
static1
Behavioral task
behavioral1
Sample
143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
22c5bd0a3e3c03e512f45c0ebd81b9cf7695279360a1c40cec90cf3efea5f219.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
291dafd2314b673e9b81ee6bd583911db702f910a342dc716c49ce5922bcefe9.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
499d652934b65eebaaa2d82a49a8810d8dbc1d3feb82c20d3193b41d1d599648.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
499d652934b65eebaaa2d82a49a8810d8dbc1d3feb82c20d3193b41d1d599648.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
4b8eb941853bd390287dbcbe8dae61e1b226baa6661172eff6766605a0047ec3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
4fbcb0a2f45aaeb44239e2e00233d34f6efb6c46aa551acf21567602c1b83573.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
53ecffef24ddea22780ff63e0224bd9c1bf9d8533760949fff138bd5c432ce36.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
59a57474ebe62f572bb724c334e3f51070b9605bdb8a26ca62aa328af1683a06.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
6aec183a583bea0012704d51b860a5d4dc2eaa2d5a1b16c1b991a8fb1cc86e31.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
7506757ba820d7ae28d178498db7124eb1c6e346d4700098f7492a46d5e851b0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
9e8418826f07274a00f90b02756f693711350696a60867c9adff98b6c0268e52.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
a898d72b49cc00c36f48fd52d4f754e3c8b758780323239ea18208abf91a9b84.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
e6baad5a7e5385bc92311bc785faeabed25354b22d90f6422ffc65d07a913c5c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
ea3dd01036351608cfd1a08d2d7331439b7acea2492116d550411f5e93529f9e.exe
Resource
win10v2004-20240508-en
General
-
Target
71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe
-
Size
306KB
-
MD5
6ee7eb36e567f6e466aaaf24c199df75
-
SHA1
b0c3b1eaf357df0d49b6db112d91f5b863f05253
-
SHA256
71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce
-
SHA512
dda4269111e1fee9ce47c059884171e43cb165916976763e4cfe484b9bd5dcc12269a4544fb01f1602a168ae920df31de1a06d03c3121560d5388644c0dae743
-
SSDEEP
6144:mUZl9vSWh60RVAtljy11j8A/QGetb58moOBJyL98R:bZKWhHJBYGetvhDyL98R
Malware Config
Extracted
redline
5195552529
https://pastebin.com/raw/NgsUAPya
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral15/memory/1344-0-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 7 pastebin.com 6 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4656 set thread context of 1344 4656 71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe 84 -
Program crash 1 IoCs
pid pid_target Process procid_target 2672 4656 WerFault.exe 81 -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1344 RegAsm.exe 1344 RegAsm.exe 1344 RegAsm.exe 1344 RegAsm.exe 1344 RegAsm.exe 1344 RegAsm.exe 1344 RegAsm.exe 1344 RegAsm.exe 1344 RegAsm.exe 1344 RegAsm.exe 1344 RegAsm.exe 1344 RegAsm.exe 1344 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1344 RegAsm.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4656 wrote to memory of 2684 4656 71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe 82 PID 4656 wrote to memory of 2684 4656 71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe 82 PID 4656 wrote to memory of 2684 4656 71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe 82 PID 4656 wrote to memory of 2680 4656 71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe 83 PID 4656 wrote to memory of 2680 4656 71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe 83 PID 4656 wrote to memory of 2680 4656 71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe 83 PID 4656 wrote to memory of 1344 4656 71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe 84 PID 4656 wrote to memory of 1344 4656 71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe 84 PID 4656 wrote to memory of 1344 4656 71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe 84 PID 4656 wrote to memory of 1344 4656 71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe 84 PID 4656 wrote to memory of 1344 4656 71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe 84 PID 4656 wrote to memory of 1344 4656 71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe 84 PID 4656 wrote to memory of 1344 4656 71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe 84 PID 4656 wrote to memory of 1344 4656 71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe"C:\Users\Admin\AppData\Local\Temp\71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2680
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 3202⤵
- Program crash
PID:2672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4656 -ip 46561⤵PID:2240