Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 21:41
Behavioral task
behavioral1
Sample
4a2f42d5767cff94f4ef60a8e709d970e85ae2fed4dd0752738fdcce54cf0a40.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4a2f42d5767cff94f4ef60a8e709d970e85ae2fed4dd0752738fdcce54cf0a40.exe
Resource
win10v2004-20241007-en
General
-
Target
4a2f42d5767cff94f4ef60a8e709d970e85ae2fed4dd0752738fdcce54cf0a40.exe
-
Size
240KB
-
MD5
3b10241ce9016311733b35d0a539f589
-
SHA1
ba8cca9826753e83442d27269f54f40cd34f211d
-
SHA256
4a2f42d5767cff94f4ef60a8e709d970e85ae2fed4dd0752738fdcce54cf0a40
-
SHA512
d47c4fbfc75425b972764acc3746f5206616f6f8be8e672a47a26130a351c6a62383477411ed0bc83e41956368676a07c824d5cdcaff7af5f7fe235d6da0789f
-
SSDEEP
3072:54jqrLQenQRonR7aQS7yaTKrYTSdzpqF8H5Ldoe/9GdRshkJO7SlFfYBYQozQt:54jq3Go4X7fTSdzpq+HEshpSU+
Malware Config
Extracted
redline
14
92.118.36.245:21100
-
auth_value
c509bb736d90e24a5f10c696dd374e6d
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/2856-1-0x0000000000870000-0x00000000008AC000-memory.dmp family_redline -
Redline family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a2f42d5767cff94f4ef60a8e709d970e85ae2fed4dd0752738fdcce54cf0a40.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2856 4a2f42d5767cff94f4ef60a8e709d970e85ae2fed4dd0752738fdcce54cf0a40.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a2f42d5767cff94f4ef60a8e709d970e85ae2fed4dd0752738fdcce54cf0a40.exe"C:\Users\Admin\AppData\Local\Temp\4a2f42d5767cff94f4ef60a8e709d970e85ae2fed4dd0752738fdcce54cf0a40.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2856