Analysis
-
max time kernel
7s -
max time network
10s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 18:25
Behavioral task
behavioral1
Sample
Redline Stealer.rar
Resource
win7-20240611-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
Redline Stealer.rar
Resource
win10v2004-20240508-en
12 signatures
150 seconds
General
-
Target
Redline Stealer.rar
-
Size
1.9MB
-
MD5
804930714f5da20e35e42cd74c195a4e
-
SHA1
bbb8cd45f3a8504e40d832bf6edd6befa0f21da2
-
SHA256
1aa6211a075d828327681307b51741b8c931514c1a387fb45f9d9cc8fcfb8acd
-
SHA512
cf36e07550531e4683a13bd9903c3bc24fc2a7937837160963e6afd63f120bd0b78d7b9c576f356e954b5fe6dfe2857957c71dc31d100d8cc824495333679e30
-
SSDEEP
49152:cGgYV/h2P1tXK/zYhv/5B+sE1Icb+ehyl30ynqkL:cGge2PzXK/e//+sE1da31L
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2972 wrote to memory of 2756 2972 cmd.exe rundll32.exe PID 2972 wrote to memory of 2756 2972 cmd.exe rundll32.exe PID 2972 wrote to memory of 2756 2972 cmd.exe rundll32.exe PID 2756 wrote to memory of 2556 2756 rundll32.exe rundll32.exe PID 2756 wrote to memory of 2556 2756 rundll32.exe rundll32.exe PID 2756 wrote to memory of 2556 2756 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Redline Stealer.rar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Redline Stealer.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Redline Stealer.rar3⤵
- Modifies registry class