Analysis
-
max time kernel
117s -
max time network
187s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
-
submitted
12/09/2024, 22:32
General
-
Target
20c00490073d178d700ea9fc5c66962935f874c704833bd95bb0f20cbf0e81a7.exe
-
Size
313KB
-
MD5
6327191c97297473cbd16fe27c5e23c9
-
SHA1
43cb395c65b39956efcabe330b9eb5969939c77c
-
SHA256
20c00490073d178d700ea9fc5c66962935f874c704833bd95bb0f20cbf0e81a7
-
SHA512
d66ee18d30d13df99b07998ba51a8fee446a10795480bebe9f1091a590e93b895cff9f133a78a4e918c20e030f214b79c9fadfe5d6818be8c6486646099e4a78
-
SSDEEP
6144:DtoxwySMnzhaYcBNKuJfXrabgjGtho1ruvVTjWRgdhgLYPgokEdoHyY3lnZO:Du/Fn8YcnKwf+EGw1ujWRMCUgokEaHyS
Malware Config
Extracted
redline
@OLEH_PSP
65.21.18.51:45580
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\20c00490073d178d700ea9fc5c66962935f874c704833bd95bb0f20cbf0e81a7.exe"C:\Users\Admin\AppData\Local\Temp\20c00490073d178d700ea9fc5c66962935f874c704833bd95bb0f20cbf0e81a7.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
4KB
-
Filesize
336KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
5.0MB
-
Filesize
248KB
-
Filesize
40KB
-
Filesize
6.9MB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
6.0MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
584KB
-
Filesize
300KB
-
Filesize
408KB
-
Filesize
328KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
6.9MB