Analysis
-
max time kernel
111s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 07:50
Static task
static1
Behavioral task
behavioral1
Sample
2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe
Resource
win10v2004-20241007-en
General
-
Target
2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe
-
Size
1.1MB
-
MD5
be4268bd5229b479ad9c446943303795
-
SHA1
2a4141a8db79086003ef586771de0a6cb33921ca
-
SHA256
2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7
-
SHA512
c3cbd53e15216849702c45e65c21a68cd74bf9d161bbf736c56945ab1f88c40cfb442979acbf110ad7d0a3bf6b91a8653902a52fb40aabdda039f2f87dfddd69
-
SSDEEP
24576:E0Vs8ABbiCw+SFuGzJgkcHXMVB52Sg/cmom2Ket6zattBcQuVhxY26EI:Ej80L1SFulXMV/gkBmtet621vuVhd7I
Malware Config
Extracted
redline
@Js_scr
185.209.22.181:29234
-
auth_value
5a0918bd3e8ede8e02c8dd9d106a996d
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Redline family
-
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
Processes:
2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exepid process 2668 2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe 2668 2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe 2668 2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe 2668 2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe 2668 2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe 2668 2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe 2668 2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe 2668 2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe 2668 2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe 2668 2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe 2668 2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe 2668 2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe 2668 2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe 2668 2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exepid process 2668 2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe"C:\Users\Admin\AppData\Local\Temp\2df568fd2c5dec264a9036ebd26ba7a2f61599a57cf843e3fd83cd4663926bf7.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2668