Analysis
-
max time kernel
14s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 17:08
Static task
static1
Behavioral task
behavioral1
Sample
0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe
Resource
win10v2004-20240802-en
General
-
Target
0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe
-
Size
312KB
-
MD5
db1fbaf680dc245b486db86fa852f655
-
SHA1
355caa80363bc44607efcce4c64d3752a0edf286
-
SHA256
0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32
-
SHA512
ec923d035cd6d608315c7a7dbd3ffd66afea22dace6f0854e7e97346ca758f6344c32a6a7336e9fd1506207bdee1e408f4a328b7671c7d9248a64e8a56c2e840
-
SSDEEP
6144:ebVv6RXCrNabG9wcT7XVwBIQv6B2M4m2FxHrkRQyczK+VcpKTCcTj:ebGXCNXX1wus6B2Mo1mKcFcT
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
45.91.202.63:25415
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1748-13-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/1748-11-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/1748-9-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/1748-6-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/1748-5-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exedescription pid process target process PID 2296 set thread context of 1748 2296 0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegAsm.exepid process 1748 RegAsm.exe 1748 RegAsm.exe 1748 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1748 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exedescription pid process target process PID 2296 wrote to memory of 1748 2296 0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe RegAsm.exe PID 2296 wrote to memory of 1748 2296 0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe RegAsm.exe PID 2296 wrote to memory of 1748 2296 0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe RegAsm.exe PID 2296 wrote to memory of 1748 2296 0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe RegAsm.exe PID 2296 wrote to memory of 1748 2296 0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe RegAsm.exe PID 2296 wrote to memory of 1748 2296 0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe RegAsm.exe PID 2296 wrote to memory of 1748 2296 0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe RegAsm.exe PID 2296 wrote to memory of 1748 2296 0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe RegAsm.exe PID 2296 wrote to memory of 1748 2296 0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe RegAsm.exe PID 2296 wrote to memory of 1748 2296 0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe RegAsm.exe PID 2296 wrote to memory of 1748 2296 0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe RegAsm.exe PID 2296 wrote to memory of 1748 2296 0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe"C:\Users\Admin\AppData\Local\Temp\0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8