Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 01:37
Static task
static1
Behavioral task
behavioral1
Sample
db663022646cf9c9892733d3f6ee8e565ed5d5825621d1eb1c38a99b70e1c876.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
db663022646cf9c9892733d3f6ee8e565ed5d5825621d1eb1c38a99b70e1c876.exe
Resource
win10v2004-20241007-en
General
-
Target
db663022646cf9c9892733d3f6ee8e565ed5d5825621d1eb1c38a99b70e1c876.exe
-
Size
274KB
-
MD5
937ee6174125651024f986da38f2f5a5
-
SHA1
ce394c936275e5c66fe035f31a4dd012806c7a8c
-
SHA256
db663022646cf9c9892733d3f6ee8e565ed5d5825621d1eb1c38a99b70e1c876
-
SHA512
7df67204c288d056573b4747ef7cb79f05e49afedef2a0fbe55271b1b25426493956ebfd2c6aab2e41d4ced0e2a4f3a0d39e7369ed448f2d4d9fa717789cde9b
-
SSDEEP
6144:3OzLoJazKULP9wHZZNQHnjSGWLSioSEIYR/mJekTfj4B:ezUJa3p0NQHGSwNYR+BTc
Malware Config
Extracted
redline
asia
45.9.20.240:46257
-
auth_value
218353fc70f3440d970e02bf6e2edeb1
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2580-4-0x0000000000920000-0x0000000000954000-memory.dmp family_redline behavioral1/memory/2580-5-0x0000000000B30000-0x0000000000B62000-memory.dmp family_redline behavioral1/memory/2580-6-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-7-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-25-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-9-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-11-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-13-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-59-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-15-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-17-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-19-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-21-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-31-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-33-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-37-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-41-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-57-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-69-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-67-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-65-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-63-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-61-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-55-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-53-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-52-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-49-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-48-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-45-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-43-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-39-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-35-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-29-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-27-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline behavioral1/memory/2580-23-0x0000000000B30000-0x0000000000B5D000-memory.dmp family_redline -
Redline family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db663022646cf9c9892733d3f6ee8e565ed5d5825621d1eb1c38a99b70e1c876.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2580 db663022646cf9c9892733d3f6ee8e565ed5d5825621d1eb1c38a99b70e1c876.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db663022646cf9c9892733d3f6ee8e565ed5d5825621d1eb1c38a99b70e1c876.exe"C:\Users\Admin\AppData\Local\Temp\db663022646cf9c9892733d3f6ee8e565ed5d5825621d1eb1c38a99b70e1c876.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2580
Network
- No results found
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3