Analysis
-
max time kernel
135s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 12:52
Static task
static1
Behavioral task
behavioral1
Sample
8e38e8ecd481eb08ceaa4ae363251311.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
8e38e8ecd481eb08ceaa4ae363251311.exe
Resource
win10v2004-20240508-en
General
-
Target
8e38e8ecd481eb08ceaa4ae363251311.exe
-
Size
915KB
-
MD5
8e38e8ecd481eb08ceaa4ae363251311
-
SHA1
8c2a06c4c7b52cb9cd01c414732597e9289b3ad4
-
SHA256
036fb259b53e5db9dbe7039bd4a2c5e2118b3242e38e9c0cc697e4e4c44b9f40
-
SHA512
c02a7be29b8012778a9028b67d71384e0a6a60857f880bf858099aef5a41a21c0068cfd2ff4116176493c28938d5e799ca18738a6e29335c3423f895305d016f
-
SSDEEP
24576:7tASL4DpnNBcMxDlxTWTn6WHmTSHMLir8/dp97A:f4DpnNBcMTxTyYSY1P7A
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.115:40551
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3532-1-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
8e38e8ecd481eb08ceaa4ae363251311.exedescription pid process target process PID 1896 set thread context of 3532 1896 8e38e8ecd481eb08ceaa4ae363251311.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2044 1896 WerFault.exe 8e38e8ecd481eb08ceaa4ae363251311.exe -
Processes:
RegAsm.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
RegAsm.exepid process 3532 RegAsm.exe 3532 RegAsm.exe 3532 RegAsm.exe 3532 RegAsm.exe 3532 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3532 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
8e38e8ecd481eb08ceaa4ae363251311.exedescription pid process target process PID 1896 wrote to memory of 2240 1896 8e38e8ecd481eb08ceaa4ae363251311.exe RegAsm.exe PID 1896 wrote to memory of 2240 1896 8e38e8ecd481eb08ceaa4ae363251311.exe RegAsm.exe PID 1896 wrote to memory of 2240 1896 8e38e8ecd481eb08ceaa4ae363251311.exe RegAsm.exe PID 1896 wrote to memory of 3532 1896 8e38e8ecd481eb08ceaa4ae363251311.exe RegAsm.exe PID 1896 wrote to memory of 3532 1896 8e38e8ecd481eb08ceaa4ae363251311.exe RegAsm.exe PID 1896 wrote to memory of 3532 1896 8e38e8ecd481eb08ceaa4ae363251311.exe RegAsm.exe PID 1896 wrote to memory of 3532 1896 8e38e8ecd481eb08ceaa4ae363251311.exe RegAsm.exe PID 1896 wrote to memory of 3532 1896 8e38e8ecd481eb08ceaa4ae363251311.exe RegAsm.exe PID 1896 wrote to memory of 3532 1896 8e38e8ecd481eb08ceaa4ae363251311.exe RegAsm.exe PID 1896 wrote to memory of 3532 1896 8e38e8ecd481eb08ceaa4ae363251311.exe RegAsm.exe PID 1896 wrote to memory of 3532 1896 8e38e8ecd481eb08ceaa4ae363251311.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e38e8ecd481eb08ceaa4ae363251311.exe"C:\Users\Admin\AppData\Local\Temp\8e38e8ecd481eb08ceaa4ae363251311.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2240
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 2562⤵
- Program crash
PID:2044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1896 -ip 18961⤵PID:396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Tmp4B90.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
memory/1896-2-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/1896-0-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/3532-25-0x00000000063C0000-0x00000000063DE000-memory.dmpFilesize
120KB
-
memory/3532-29-0x0000000006550000-0x000000000665A000-memory.dmpFilesize
1.0MB
-
memory/3532-5-0x0000000004FE0000-0x0000000005072000-memory.dmpFilesize
584KB
-
memory/3532-6-0x0000000004FC0000-0x0000000004FCA000-memory.dmpFilesize
40KB
-
memory/3532-7-0x0000000074930000-0x00000000750E0000-memory.dmpFilesize
7.7MB
-
memory/3532-3-0x000000007493E000-0x000000007493F000-memory.dmpFilesize
4KB
-
memory/3532-24-0x0000000005D40000-0x0000000005DB6000-memory.dmpFilesize
472KB
-
memory/3532-1-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/3532-28-0x0000000006A00000-0x0000000007018000-memory.dmpFilesize
6.1MB
-
memory/3532-4-0x0000000005590000-0x0000000005B34000-memory.dmpFilesize
5.6MB
-
memory/3532-30-0x0000000006490000-0x00000000064A2000-memory.dmpFilesize
72KB
-
memory/3532-31-0x00000000064F0000-0x000000000652C000-memory.dmpFilesize
240KB
-
memory/3532-32-0x0000000006660000-0x00000000066AC000-memory.dmpFilesize
304KB
-
memory/3532-33-0x00000000067A0000-0x0000000006806000-memory.dmpFilesize
408KB
-
memory/3532-36-0x00000000069B0000-0x0000000006A00000-memory.dmpFilesize
320KB
-
memory/3532-37-0x0000000008A00000-0x0000000008BC2000-memory.dmpFilesize
1.8MB
-
memory/3532-38-0x0000000009100000-0x000000000962C000-memory.dmpFilesize
5.2MB
-
memory/3532-40-0x0000000074930000-0x00000000750E0000-memory.dmpFilesize
7.7MB