Overview
overview
10Static
static
30033b9ed1c...40.exe
windows7-x64
30033b9ed1c...40.exe
windows10-2004-x64
101277233607...ba.exe
windows10-2004-x64
10138ff2ce9b...de.exe
windows10-2004-x64
73a88637efb...d4.exe
windows10-2004-x64
85a4570005d...a4.exe
windows7-x64
35a4570005d...a4.exe
windows10-2004-x64
106ade7154c7...fb.exe
windows7-x64
36ade7154c7...fb.exe
windows10-2004-x64
108167afa496...61.exe
windows7-x64
38167afa496...61.exe
windows10-2004-x64
1086a6beb680...62.exe
windows10-2004-x64
108bd2da3bdd...7e.exe
windows10-2004-x64
109b9cb00d14...04.exe
windows10-2004-x64
109e375a6be4...d0.exe
windows7-x64
39e375a6be4...d0.exe
windows10-2004-x64
10a228d77265...ea.exe
windows7-x64
3a228d77265...ea.exe
windows10-2004-x64
10b565c9e6f0...8a.exe
windows7-x64
3b565c9e6f0...8a.exe
windows10-2004-x64
10dffc83be30...0a.exe
windows10-2004-x64
10ebff69daab...05.exe
windows10-2004-x64
10ee1d385890...f3.exe
windows7-x64
3ee1d385890...f3.exe
windows10-2004-x64
10Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 06:19
Static task
static1
Behavioral task
behavioral1
Sample
0033b9ed1c09bad0795150029eeb32a7620ee7b6768eb42c36c9ecdece2dd440.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0033b9ed1c09bad0795150029eeb32a7620ee7b6768eb42c36c9ecdece2dd440.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
3a88637efb4cafae6238b6c3dc5b6b17b7a535e47a3f6a230dcc5cf428db3ad4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe
Resource
win7-20231129-en
Behavioral task
behavioral7
Sample
5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
6ade7154c76ec8ac19448403d594b3b6aaaaa14c5a193f4f31694ff3643d45fb.exe
Resource
win7-20240220-en
Behavioral task
behavioral9
Sample
6ade7154c76ec8ac19448403d594b3b6aaaaa14c5a193f4f31694ff3643d45fb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
8167afa4960bf7ec3e9ccea8204567bf3c18d20b72fe034ca2fe482d19f96f61.exe
Resource
win7-20240419-en
Behavioral task
behavioral11
Sample
8167afa4960bf7ec3e9ccea8204567bf3c18d20b72fe034ca2fe482d19f96f61.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
8bd2da3bdd49625487058350b98633f194eeda83697690c729fefcefc188b07e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
9e375a6be43c6fb35a506cdbbab7a9291cd783ccc69adf51e1cf73f8e1c949d0.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
9e375a6be43c6fb35a506cdbbab7a9291cd783ccc69adf51e1cf73f8e1c949d0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
a228d772653c687276cdf5b1bc02ef2c37eb367c1d2dbdef0e221c3b16ce87ea.exe
Resource
win7-20240215-en
Behavioral task
behavioral18
Sample
a228d772653c687276cdf5b1bc02ef2c37eb367c1d2dbdef0e221c3b16ce87ea.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe
Resource
win10v2004-20240426-en
General
-
Target
b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe
-
Size
332KB
-
MD5
187d281b7f99aaa9958e8fd2a3ab4ca4
-
SHA1
4154b6a67a62d0fd8c15c681307658061b08d820
-
SHA256
b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a
-
SHA512
c7b432d26a86ddd0f7304f9e3a8fa9c3ff26d936210cba7645fc6a3edaccd38ef05f62540ad29fee8ad12c6838dd948dab5ce30620246badf1ea447519688ad7
-
SSDEEP
6144:+lZwB/LgLB340nTaDpOU7riHRkyghKxWYc9GkbV9hP1l/F+0Xp:+nhLB340nTP+ygMxW9pzhPo0Xp
Malware Config
Extracted
redline
7001210066
https://pastebin.com/raw/NgsUAPya
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral20/memory/4992-2-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 pastebin.com 3 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4940 set thread context of 4992 4940 b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe 83 -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 4992 RegAsm.exe 4992 RegAsm.exe 4992 RegAsm.exe 4992 RegAsm.exe 4992 RegAsm.exe 4992 RegAsm.exe 4992 RegAsm.exe 4992 RegAsm.exe 4992 RegAsm.exe 4992 RegAsm.exe 4992 RegAsm.exe 4992 RegAsm.exe 4992 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4992 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4940 wrote to memory of 4992 4940 b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe 83 PID 4940 wrote to memory of 4992 4940 b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe 83 PID 4940 wrote to memory of 4992 4940 b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe 83 PID 4940 wrote to memory of 4992 4940 b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe 83 PID 4940 wrote to memory of 4992 4940 b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe 83 PID 4940 wrote to memory of 4992 4940 b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe 83 PID 4940 wrote to memory of 4992 4940 b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe 83 PID 4940 wrote to memory of 4992 4940 b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe"C:\Users\Admin\AppData\Local\Temp\b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992
-