Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
03-08-2024 04:53
Behavioral task
behavioral1
Sample
33c689da9eaa894882cdb0fa90e9bb46.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
33c689da9eaa894882cdb0fa90e9bb46.exe
Resource
win10v2004-20240802-en
General
-
Target
33c689da9eaa894882cdb0fa90e9bb46.exe
-
Size
568KB
-
MD5
33c689da9eaa894882cdb0fa90e9bb46
-
SHA1
5afc0dc2f90bea1c34acfa37563570afe9db8fb4
-
SHA256
ef0f0472b0aaa446f0bd4ffe6d4d795def72eab197c783d839811200e57c0f08
-
SHA512
68d32de11ddb0b36693ec87782ea6de2c5b8f8b4f5747bce38085a3384674af80e88953a6a9ba78b3acabde9f6198c2442cbb5865954415c26231066761b4251
-
SSDEEP
3072:C1U1cWgzWHY3+zi0ZbYe1g0ujyzdgYLz60gznkI8yQSI8yUrNc5vDA:IccXKHYuG0LahyKv5FEvE
Malware Config
Extracted
redline
xxxx
212.224.93.60:51914
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\LocalJMzRXaGbhr.exe family_redline behavioral1/memory/1976-11-0x0000000000890000-0x00000000008AE000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\LocalJMzRXaGbhr.exe family_sectoprat behavioral1/memory/1976-11-0x0000000000890000-0x00000000008AE000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 1 IoCs
Processes:
LocalJMzRXaGbhr.exepid process 1976 LocalJMzRXaGbhr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
LocalJMzRXaGbhr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LocalJMzRXaGbhr.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
LocalJMzRXaGbhr.exepid process 1976 LocalJMzRXaGbhr.exe 1976 LocalJMzRXaGbhr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
LocalJMzRXaGbhr.exedescription pid process Token: SeDebugPrivilege 1976 LocalJMzRXaGbhr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
33c689da9eaa894882cdb0fa90e9bb46.exedescription pid process target process PID 2036 wrote to memory of 1976 2036 33c689da9eaa894882cdb0fa90e9bb46.exe LocalJMzRXaGbhr.exe PID 2036 wrote to memory of 1976 2036 33c689da9eaa894882cdb0fa90e9bb46.exe LocalJMzRXaGbhr.exe PID 2036 wrote to memory of 1976 2036 33c689da9eaa894882cdb0fa90e9bb46.exe LocalJMzRXaGbhr.exe PID 2036 wrote to memory of 1976 2036 33c689da9eaa894882cdb0fa90e9bb46.exe LocalJMzRXaGbhr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33c689da9eaa894882cdb0fa90e9bb46.exe"C:\Users\Admin\AppData\Local\Temp\33c689da9eaa894882cdb0fa90e9bb46.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\LocalJMzRXaGbhr.exe"C:\Users\Admin\AppData\LocalJMzRXaGbhr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalJMzRXaGbhr.exeFilesize
95KB
MD57087178f8c713e35d97f0d0625ed2b30
SHA12b46fe2684e10bb876caf99195af1e844249f9c5
SHA256e56e0057e0c90da8ae239826ac313d213b348d74914f9a6b2728bdc53e7cb510
SHA512b70f4b6a8aa9e082f149fa56450d8752d5a8efc6c7c81519507eb1bc0b57655a3f0eb1c37409d30c50d59e889b618cb39a011313ce2f04573b45bd1789341003
-
C:\Users\Admin\AppData\Local\Temp\tmpF0CF.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmpF0E4.tmpFilesize
92KB
MD5de7d702f13db499233da2c87959d7696
SHA18d51283dc6b41cae89ac01928cd0460604ff1d3e
SHA25678e689d13f1ff71daeb36634831fa7457a8c90ea465a3e342aef921d8ca82b34
SHA512a57e198ff5e32453ac99d6aefb5ab71f9cb4c80006f2a75d3c3e0ef28a0ca00f387110788edc1df1e0a7ab9a2503571e82749e51acf7c67e654a586503754045
-
memory/1976-11-0x0000000000890000-0x00000000008AE000-memory.dmpFilesize
120KB
-
memory/1976-10-0x00000000744CE000-0x00000000744CF000-memory.dmpFilesize
4KB
-
memory/1976-12-0x00000000744C0000-0x0000000074BAE000-memory.dmpFilesize
6.9MB
-
memory/1976-97-0x00000000744C0000-0x0000000074BAE000-memory.dmpFilesize
6.9MB
-
memory/2036-0-0x000007FEF59CE000-0x000007FEF59CF000-memory.dmpFilesize
4KB
-
memory/2036-8-0x000000001AEE0000-0x000000001AEF0000-memory.dmpFilesize
64KB
-
memory/2036-9-0x000007FEF5710000-0x000007FEF60AD000-memory.dmpFilesize
9.6MB
-
memory/2036-98-0x000007FEF5710000-0x000007FEF60AD000-memory.dmpFilesize
9.6MB