Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-02-2021 09:58
Static task
static1
Behavioral task
behavioral1
Sample
cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe
Resource
win10v20201028
General
-
Target
cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe
-
Size
212KB
-
MD5
cd513b84207569e95cf1ca73170e0818
-
SHA1
1fa2db78e25bea5ce93015c96e30f29971292479
-
SHA256
cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d
-
SHA512
b562bf7c625d3b3769aae685f4f102c6f7cf53c783768b59b90a599aff7ed04d18197282c553cfea38b514368939c98ad90da969f5fc5ad7d622bb700edfa59f
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1164-6-0x0000000000400000-0x000000000042A000-memory.dmp family_redline behavioral1/memory/1164-7-0x0000000000422016-mapping.dmp family_redline behavioral1/memory/1164-9-0x0000000000400000-0x000000000042A000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exedescription pid process target process PID 776 set thread context of 1164 776 cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AddInProcess32.exedescription pid process Token: SeDebugPrivilege 1164 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exedescription pid process target process PID 776 wrote to memory of 1168 776 cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe AddInProcess32.exe PID 776 wrote to memory of 1168 776 cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe AddInProcess32.exe PID 776 wrote to memory of 1168 776 cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe AddInProcess32.exe PID 776 wrote to memory of 1168 776 cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe AddInProcess32.exe PID 776 wrote to memory of 1164 776 cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe AddInProcess32.exe PID 776 wrote to memory of 1164 776 cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe AddInProcess32.exe PID 776 wrote to memory of 1164 776 cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe AddInProcess32.exe PID 776 wrote to memory of 1164 776 cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe AddInProcess32.exe PID 776 wrote to memory of 1164 776 cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe AddInProcess32.exe PID 776 wrote to memory of 1164 776 cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe AddInProcess32.exe PID 776 wrote to memory of 1164 776 cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe AddInProcess32.exe PID 776 wrote to memory of 1164 776 cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe AddInProcess32.exe PID 776 wrote to memory of 1164 776 cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe"C:\Users\Admin\AppData\Local\Temp\cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵PID:1168
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164