Analysis
-
max time kernel
48s -
max time network
49s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-03-2021 07:09
Static task
static1
Behavioral task
behavioral1
Sample
a61568c460fec240f6b098f902f37656.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
a61568c460fec240f6b098f902f37656.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
a61568c460fec240f6b098f902f37656.exe
-
Size
833KB
-
MD5
a61568c460fec240f6b098f902f37656
-
SHA1
568246a5ed71acf14ba5c7d91e3e55666771f9d6
-
SHA256
5b9485481c38b7cb26d8dee0181900df0e1310d7eef9bf2cd73bdde8a825d0a8
-
SHA512
b536211806c289639966b2cb47d2f87059e1ae2c66b9340b0fb2144c87f381ecf649a2f9049a393ac654b7149832812051a0b095724718cc6e0cc94ff8719d2d
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
a61568c460fec240f6b098f902f37656.exedescription pid process target process PID 784 set thread context of 1388 784 a61568c460fec240f6b098f902f37656.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AddInProcess32.exepid process 1388 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a61568c460fec240f6b098f902f37656.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 784 a61568c460fec240f6b098f902f37656.exe Token: SeDebugPrivilege 1388 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a61568c460fec240f6b098f902f37656.exedescription pid process target process PID 784 wrote to memory of 1388 784 a61568c460fec240f6b098f902f37656.exe AddInProcess32.exe PID 784 wrote to memory of 1388 784 a61568c460fec240f6b098f902f37656.exe AddInProcess32.exe PID 784 wrote to memory of 1388 784 a61568c460fec240f6b098f902f37656.exe AddInProcess32.exe PID 784 wrote to memory of 1388 784 a61568c460fec240f6b098f902f37656.exe AddInProcess32.exe PID 784 wrote to memory of 1388 784 a61568c460fec240f6b098f902f37656.exe AddInProcess32.exe PID 784 wrote to memory of 1388 784 a61568c460fec240f6b098f902f37656.exe AddInProcess32.exe PID 784 wrote to memory of 1388 784 a61568c460fec240f6b098f902f37656.exe AddInProcess32.exe PID 784 wrote to memory of 1388 784 a61568c460fec240f6b098f902f37656.exe AddInProcess32.exe PID 784 wrote to memory of 1388 784 a61568c460fec240f6b098f902f37656.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a61568c460fec240f6b098f902f37656.exe"C:\Users\Admin\AppData\Local\Temp\a61568c460fec240f6b098f902f37656.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388