Analysis
-
max time kernel
92s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
27/07/2024, 01:18
General
-
Target
3e0b58b606aeb4cbf53aa42f471ae31960309cb01e2a3872b1db400c9694012b.exe
-
Size
553KB
-
MD5
1c7fa29f87c23abfa490a5e8909a310a
-
SHA1
35c09cc093085c3924cab4c34572387d920ac185
-
SHA256
3e0b58b606aeb4cbf53aa42f471ae31960309cb01e2a3872b1db400c9694012b
-
SHA512
5fce78d4a06352a5937b14b4a877be7a32874fc27e0f5dc409a1bddcd5526e534cf3f416a58b8e4de0a559043b0be4bfb57146b1682ba33806f47141b1cdb5dd
-
SSDEEP
12288:+CFjaM7SlWi+CqGndxB0T7JfdI0n3cTS+T54zfR2x/a/A2vz4UTKZLmRmV/MeiWE:+CtaM7kN+v4Fk7JfwuP
Malware Config
Extracted
redline
7371156009_99
https://t.me/+J_Z1QGHfHko0MGZi
https://steamcommunity.com/id/elcadillac
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Loads dropped DLL 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e0b58b606aeb4cbf53aa42f471ae31960309cb01e2a3872b1db400c9694012b.exe"C:\Users\Admin\AppData\Local\Temp\3e0b58b606aeb4cbf53aa42f471ae31960309cb01e2a3872b1db400c9694012b.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
279KB
MD51dbbd0b6af7f9543b6b930b58b089d74
SHA18ce8939d95775affcd2cbf70dc9e078f77e2f7c8
SHA25655647921432f0dfcf2e4a8455294df3be736c133beaa58c977c18b49503984ce
SHA512d4424575c5659b8c5966c3a1692df1416961fa4a8bd6407fa8722ee70f533908cdb5a3875d3d0fa06672db3f2e5d9e8add1c1b33cc2232cde12a9a91340b5a98
-
Filesize
4KB
-
Filesize
576KB
-
Filesize
24KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
1.0MB
-
Filesize
5.2MB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
1.8MB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
136KB