Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 18:14
Behavioral task
behavioral1
Sample
041bf8121f0b162298d5586cb420fdf5fd09b9fb8b497906f8616e53a76607c7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
041bf8121f0b162298d5586cb420fdf5fd09b9fb8b497906f8616e53a76607c7.exe
Resource
win10v2004-20240508-en
General
-
Target
041bf8121f0b162298d5586cb420fdf5fd09b9fb8b497906f8616e53a76607c7.exe
-
Size
94KB
-
MD5
5cc66fc0009faaa302fe725f58972c36
-
SHA1
8cfb1792385ac13ccd796134bf0ca6f900a44979
-
SHA256
041bf8121f0b162298d5586cb420fdf5fd09b9fb8b497906f8616e53a76607c7
-
SHA512
3cde9ebaecfa21258b8f84bf59ffb63d03e326dc8cac3325996d2cf0d37878229a90d5789d7c1aaf17bf4cfd2f945805aa231d5cc6231f1a8fb16eb76acb8b8d
-
SSDEEP
1536:9ATp9NZjE6oljj9tAtzZM4YCrB/atqgdbibEB/l2kPoSG2:9ATp9DOjj9tA5C4JJatvqEhfr
Malware Config
Extracted
redline
5129512298_99
https://pastebin.com/raw/tnW31tPp
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1136-1-0x00000000008A0000-0x00000000008BE000-memory.dmp family_redline -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
Processes:
flow ioc 502 pastebin.com 575 pastebin.com 69 pastebin.com 316 pastebin.com 452 pastebin.com 758 pastebin.com 29 pastebin.com 142 pastebin.com 310 pastebin.com 106 pastebin.com 177 pastebin.com 425 pastebin.com 553 pastebin.com 578 pastebin.com 40 pastebin.com 109 pastebin.com 480 pastebin.com 779 pastebin.com 819 pastebin.com 372 pastebin.com 98 pastebin.com 456 pastebin.com 745 pastebin.com 108 pastebin.com 249 pastebin.com 584 pastebin.com 634 pastebin.com 756 pastebin.com 538 pastebin.com 566 pastebin.com 309 pastebin.com 601 pastebin.com 604 pastebin.com 60 pastebin.com 692 pastebin.com 762 pastebin.com 216 pastebin.com 382 pastebin.com 303 pastebin.com 821 pastebin.com 274 pastebin.com 500 pastebin.com 412 pastebin.com 599 pastebin.com 805 pastebin.com 167 pastebin.com 327 pastebin.com 330 pastebin.com 556 pastebin.com 637 pastebin.com 383 pastebin.com 439 pastebin.com 58 pastebin.com 344 pastebin.com 360 pastebin.com 467 pastebin.com 546 pastebin.com 591 pastebin.com 124 pastebin.com 376 pastebin.com 75 pastebin.com 748 pastebin.com 785 pastebin.com 808 pastebin.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
041bf8121f0b162298d5586cb420fdf5fd09b9fb8b497906f8616e53a76607c7.exedescription pid process Token: SeDebugPrivilege 1136 041bf8121f0b162298d5586cb420fdf5fd09b9fb8b497906f8616e53a76607c7.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1136-0-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmpFilesize
4KB
-
memory/1136-1-0x00000000008A0000-0x00000000008BE000-memory.dmpFilesize
120KB
-
memory/1136-2-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmpFilesize
9.9MB
-
memory/1136-3-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmpFilesize
4KB
-
memory/1136-4-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmpFilesize
9.9MB