Overview
overview
10Static
static
30033b9ed1c...40.exe
windows7-x64
30033b9ed1c...40.exe
windows10-2004-x64
101277233607...ba.exe
windows10-2004-x64
10138ff2ce9b...de.exe
windows10-2004-x64
73a88637efb...d4.exe
windows10-2004-x64
85a4570005d...a4.exe
windows7-x64
35a4570005d...a4.exe
windows10-2004-x64
106ade7154c7...fb.exe
windows7-x64
36ade7154c7...fb.exe
windows10-2004-x64
108167afa496...61.exe
windows7-x64
38167afa496...61.exe
windows10-2004-x64
1086a6beb680...62.exe
windows10-2004-x64
108bd2da3bdd...7e.exe
windows10-2004-x64
109b9cb00d14...04.exe
windows10-2004-x64
109e375a6be4...d0.exe
windows7-x64
39e375a6be4...d0.exe
windows10-2004-x64
10a228d77265...ea.exe
windows7-x64
3a228d77265...ea.exe
windows10-2004-x64
10b565c9e6f0...8a.exe
windows7-x64
3b565c9e6f0...8a.exe
windows10-2004-x64
10dffc83be30...0a.exe
windows10-2004-x64
10ebff69daab...05.exe
windows10-2004-x64
10ee1d385890...f3.exe
windows7-x64
3ee1d385890...f3.exe
windows10-2004-x64
10Analysis
-
max time kernel
133s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 15:42
Static task
static1
Behavioral task
behavioral1
Sample
0033b9ed1c09bad0795150029eeb32a7620ee7b6768eb42c36c9ecdece2dd440.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0033b9ed1c09bad0795150029eeb32a7620ee7b6768eb42c36c9ecdece2dd440.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
3a88637efb4cafae6238b6c3dc5b6b17b7a535e47a3f6a230dcc5cf428db3ad4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe
Resource
win7-20231129-en
Behavioral task
behavioral7
Sample
5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
6ade7154c76ec8ac19448403d594b3b6aaaaa14c5a193f4f31694ff3643d45fb.exe
Resource
win7-20240221-en
Behavioral task
behavioral9
Sample
6ade7154c76ec8ac19448403d594b3b6aaaaa14c5a193f4f31694ff3643d45fb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
8167afa4960bf7ec3e9ccea8204567bf3c18d20b72fe034ca2fe482d19f96f61.exe
Resource
win7-20240508-en
Behavioral task
behavioral11
Sample
8167afa4960bf7ec3e9ccea8204567bf3c18d20b72fe034ca2fe482d19f96f61.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
8bd2da3bdd49625487058350b98633f194eeda83697690c729fefcefc188b07e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
9e375a6be43c6fb35a506cdbbab7a9291cd783ccc69adf51e1cf73f8e1c949d0.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
9e375a6be43c6fb35a506cdbbab7a9291cd783ccc69adf51e1cf73f8e1c949d0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
a228d772653c687276cdf5b1bc02ef2c37eb367c1d2dbdef0e221c3b16ce87ea.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
a228d772653c687276cdf5b1bc02ef2c37eb367c1d2dbdef0e221c3b16ce87ea.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe
Resource
win10v2004-20240226-en
General
-
Target
ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe
-
Size
976KB
-
MD5
1d6ed788c4432746e683db0fa5d4b441
-
SHA1
6fd5fdedf740667fcf8f70a8586ed498d5f10b52
-
SHA256
ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3
-
SHA512
32ddb59adf493537c4b074e18a5c5684b5c714503d463c69b352fde37cfb98a3f4327c789d848951973476f38c80a3867b634a7364baf3bcf2c16cd351a1eb30
-
SSDEEP
12288:ED/mkVPvnuUYmlbWIXcWzMjAcM6RYbyOuEtggbuzUB7ntu7YjDeDGiXq8h1+JdFP:Y3nuUYmYIXcWzGAcO/ztggbBfS29F
Malware Config
Extracted
redline
5195552529
https://pastebin.com/raw/NgsUAPya
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral24/memory/2484-2-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exedescription pid process target process PID 2828 set thread context of 2484 2828 ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
RegAsm.exepid process 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2484 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exedescription pid process target process PID 2828 wrote to memory of 2484 2828 ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe RegAsm.exe PID 2828 wrote to memory of 2484 2828 ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe RegAsm.exe PID 2828 wrote to memory of 2484 2828 ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe RegAsm.exe PID 2828 wrote to memory of 2484 2828 ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe RegAsm.exe PID 2828 wrote to memory of 2484 2828 ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe RegAsm.exe PID 2828 wrote to memory of 2484 2828 ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe RegAsm.exe PID 2828 wrote to memory of 2484 2828 ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe RegAsm.exe PID 2828 wrote to memory of 2484 2828 ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe"C:\Users\Admin\AppData\Local\Temp\ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484