Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 16:11
Static task
static1
Behavioral task
behavioral1
Sample
688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$TEMP/F1gaSebe_crypted.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$TEMP/F1gaSebe_crypted.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$TEMP/Shortfalls.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$TEMP/Shortfalls.exe
Resource
win10v2004-20241007-en
General
-
Target
$TEMP/F1gaSebe_crypted.exe
-
Size
807KB
-
MD5
5f6b473388665e4c29cf86b97acd05f0
-
SHA1
6cc67923b21ef5df391b211243e9bca3f47851dc
-
SHA256
616ceb62d1c53a9837635e51abd73b8c717a9d20b1cc882d1420a46c385d8304
-
SHA512
de3253a8714558da0621dbfcf72e4bceeed563785158f2830061f54d6b14b6a1eeb5d7abf349b9566ebcbb38afc4a0f8757ef94eae58e4eea578a98b4633fd66
-
SSDEEP
12288:ymvQ2piRFz9kBAMKsikenkh52IdhvVjF:y+Smbj
Malware Config
Extracted
redline
91.243.32.73:7171
-
auth_value
f0eaa7ad30bc41521e3d61c8504e5715
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral4/memory/512-5-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Redline family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2376 set thread context of 512 2376 F1gaSebe_crypted.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 512 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2376 wrote to memory of 512 2376 F1gaSebe_crypted.exe 83 PID 2376 wrote to memory of 512 2376 F1gaSebe_crypted.exe 83 PID 2376 wrote to memory of 512 2376 F1gaSebe_crypted.exe 83 PID 2376 wrote to memory of 512 2376 F1gaSebe_crypted.exe 83 PID 2376 wrote to memory of 512 2376 F1gaSebe_crypted.exe 83 PID 2376 wrote to memory of 512 2376 F1gaSebe_crypted.exe 83 PID 2376 wrote to memory of 512 2376 F1gaSebe_crypted.exe 83 PID 2376 wrote to memory of 512 2376 F1gaSebe_crypted.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\F1gaSebe_crypted.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\F1gaSebe_crypted.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:512
-