Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:47
Behavioral task
behavioral1
Sample
af1ee47de3410dba0044d23ab63ecce06b167d6b9dab6defa5ae25cb0b26641c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
af1ee47de3410dba0044d23ab63ecce06b167d6b9dab6defa5ae25cb0b26641c.exe
Resource
win10v2004-20241007-en
General
-
Target
af1ee47de3410dba0044d23ab63ecce06b167d6b9dab6defa5ae25cb0b26641c.exe
-
Size
504KB
-
MD5
8885d154c61d37cd67372ecabe8e80d8
-
SHA1
58f5a75d1358de4e595dfd80d48e438aeb8aeacb
-
SHA256
af1ee47de3410dba0044d23ab63ecce06b167d6b9dab6defa5ae25cb0b26641c
-
SHA512
626255419e68a6a566e5c32cde087046098ec2662735bb483cab2018e3f766e3bbdd2f7027774b1753f60a43bb61951ea7f391a843dffca2e46d8332aca74571
-
SSDEEP
12288:B6jH6tmHOrdS3RXHSYWHKUFACu4hDbtMwdY5bdoENYTqDisGyff4Hm:mH1lkHm
Malware Config
Extracted
redline
free
147.124.217.241:33086
-
auth_value
1d822bec3abdbd5ecc116a6bb052594c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/2472-1-0x0000000000520000-0x000000000059E000-memory.dmp family_redline -
Redline family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af1ee47de3410dba0044d23ab63ecce06b167d6b9dab6defa5ae25cb0b26641c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2472 af1ee47de3410dba0044d23ab63ecce06b167d6b9dab6defa5ae25cb0b26641c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af1ee47de3410dba0044d23ab63ecce06b167d6b9dab6defa5ae25cb0b26641c.exe"C:\Users\Admin\AppData\Local\Temp\af1ee47de3410dba0044d23ab63ecce06b167d6b9dab6defa5ae25cb0b26641c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2472