Overview
overview
10Static
static
300dc3a43dd...78.exe
windows10-2004-x64
10061669c83b...c0.exe
windows10-2004-x64
100cc30df7f6...35.exe
windows10-2004-x64
101b26ae68f4...45.exe
windows10-2004-x64
103b9256f691...90.exe
windows7-x64
33b9256f691...90.exe
windows10-2004-x64
103ddd80ba69...8c.exe
windows7-x64
33ddd80ba69...8c.exe
windows10-2004-x64
103ff55c48fd...c7.exe
windows10-2004-x64
1050be51fdd5...4b.exe
windows10-2004-x64
10565e580e21...f4.exe
windows7-x64
1565e580e21...f4.exe
windows10-2004-x64
15f157bb7f5...80.exe
windows10-2004-x64
106c066f3c43...19.exe
windows10-2004-x64
108355a17b5f...ac.exe
windows10-2004-x64
109a3f5d3f84...b2.exe
windows10-2004-x64
10ae66f2f071...07.exe
windows10-2004-x64
10b0fef95ff5...7c.exe
windows10-2004-x64
10b11b1b57a3...06.exe
windows10-2004-x64
10cd9de412cd...04.exe
windows7-x64
10cd9de412cd...04.exe
windows10-2004-x64
10db84115968...f3.exe
windows10-2004-x64
10dce60a71ca...cc.exe
windows10-2004-x64
f5bf417643...17.exe
windows7-x64
3f5bf417643...17.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 15:13
Static task
static1
Behavioral task
behavioral1
Sample
00dc3a43dda255a61bd370ebbf0fc0431112da3c176a205489b4a2113c396878.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
061669c83be149e85a977dfd41981b6115bf335e8f5bf4a2c696247dbf3999c0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
1b26ae68f4d9a6a0bfd1a8c92489c6dcdb1a4e6ca483442c2b307329cdfb9345.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
3ddd80ba692516ca1977cdf6eb25ad59de7b9e87f447a412e2468a77ad1bbd8c.exe
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
3ddd80ba692516ca1977cdf6eb25ad59de7b9e87f447a412e2468a77ad1bbd8c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
3ff55c48fddf370349ae0853c3e33d313791cbfb7239e43b70ad977035a132c7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
50be51fdd59dbf4ac078600bca6c8481f0e5baf0010085e6e0ce8d763e87da4b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
565e580e2113d8503456c9416021bb7200f7fedadd8020c6d19340c32be7e1f4.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
565e580e2113d8503456c9416021bb7200f7fedadd8020c6d19340c32be7e1f4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
8355a17b5fec607c779bf1f01bc6596fc82dd876042977ec7aba895db3f1faac.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
9a3f5d3f84858840f8bdd8879b66a6c1ccb772e507f7f09dfe1c5a88e2d33db2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
b0fef95ff5abebcb9510c61f55646bd6731822877d3e350e98dcbd957727547c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
b11b1b57a3bb5f7ea58bd5b191ab3813432fcc41e7f4e321fa61b848d8c86606.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
dce60a71ca88a61a579b58be67a969e9f1f6620feaff4c7102883b680d0162cc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
f5bf4176434a177447cba0b0c44a2aa84c6964ac958276a5f3d28429824e6a17.exe
Resource
win7-20231129-en
General
-
Target
3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe
-
Size
333KB
-
MD5
db031db0c2f83c7dc31f6a33ea4fb0e8
-
SHA1
e036ce1e5f3cbd4bba8f75252d22035f76d28ed8
-
SHA256
3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90
-
SHA512
abeebc4e59a691ca22c9eefb03c732bb66803a1a540cd7c8e35fdfadd7bee3495b168599e04524e0e7f814b058664eb1dc62859d398c78156991f0ac9efde1b3
-
SSDEEP
6144:i1RwZfFQDOioMvzATd5W0jbSXRYyghIqjjjjjjjCTGKR5/yjNNThd9g+0Xp:i/zDOioMvzA+iygiqjjjjjjjCTJkThto
Malware Config
Extracted
redline
5345987420
https://pastebin.com/raw/NgsUAPya
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral6/memory/1584-2-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 12 pastebin.com 14 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1100 set thread context of 1584 1100 3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe 84 -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1584 RegAsm.exe 1584 RegAsm.exe 1584 RegAsm.exe 1584 RegAsm.exe 1584 RegAsm.exe 1584 RegAsm.exe 1584 RegAsm.exe 1584 RegAsm.exe 1584 RegAsm.exe 1584 RegAsm.exe 1584 RegAsm.exe 1584 RegAsm.exe 1584 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1584 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1100 wrote to memory of 1584 1100 3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe 84 PID 1100 wrote to memory of 1584 1100 3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe 84 PID 1100 wrote to memory of 1584 1100 3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe 84 PID 1100 wrote to memory of 1584 1100 3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe 84 PID 1100 wrote to memory of 1584 1100 3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe 84 PID 1100 wrote to memory of 1584 1100 3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe 84 PID 1100 wrote to memory of 1584 1100 3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe 84 PID 1100 wrote to memory of 1584 1100 3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe"C:\Users\Admin\AppData\Local\Temp\3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
-