Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
20-04-2021 11:52
Static task
static1
Behavioral task
behavioral1
Sample
954b39f45379c530b7f659d697c29ac7.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
954b39f45379c530b7f659d697c29ac7.exe
Resource
win10v20210408
General
-
Target
954b39f45379c530b7f659d697c29ac7.exe
-
Size
487KB
-
MD5
954b39f45379c530b7f659d697c29ac7
-
SHA1
9fa7dcb754041cc878f6ca3a71581a04e3b23427
-
SHA256
301a510700f2ebccd25fc5cc6c579ead2196b957ed81aa3eda29c7bc40887c26
-
SHA512
aecda633e082d00a5d9989aad8e20e300372efdcdbe4f48991b7fb7f70079d7465f420c278167edf25656966c44ac03ab72c3f1aaa18962771bee63364e7a6d8
Malware Config
Extracted
redline
v113
45.150.67.141:8054
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1668-64-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral1/memory/1668-65-0x00000000004163C6-mapping.dmp family_redline behavioral1/memory/1668-66-0x0000000000400000-0x000000000041C000-memory.dmp family_redline -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1056-63-0x0000000000540000-0x000000000054B000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
954b39f45379c530b7f659d697c29ac7.exedescription pid process target process PID 1056 set thread context of 1668 1056 954b39f45379c530b7f659d697c29ac7.exe AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
954b39f45379c530b7f659d697c29ac7.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 1056 954b39f45379c530b7f659d697c29ac7.exe Token: SeDebugPrivilege 1668 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
954b39f45379c530b7f659d697c29ac7.exedescription pid process target process PID 1056 wrote to memory of 1668 1056 954b39f45379c530b7f659d697c29ac7.exe AddInProcess32.exe PID 1056 wrote to memory of 1668 1056 954b39f45379c530b7f659d697c29ac7.exe AddInProcess32.exe PID 1056 wrote to memory of 1668 1056 954b39f45379c530b7f659d697c29ac7.exe AddInProcess32.exe PID 1056 wrote to memory of 1668 1056 954b39f45379c530b7f659d697c29ac7.exe AddInProcess32.exe PID 1056 wrote to memory of 1668 1056 954b39f45379c530b7f659d697c29ac7.exe AddInProcess32.exe PID 1056 wrote to memory of 1668 1056 954b39f45379c530b7f659d697c29ac7.exe AddInProcess32.exe PID 1056 wrote to memory of 1668 1056 954b39f45379c530b7f659d697c29ac7.exe AddInProcess32.exe PID 1056 wrote to memory of 1668 1056 954b39f45379c530b7f659d697c29ac7.exe AddInProcess32.exe PID 1056 wrote to memory of 1668 1056 954b39f45379c530b7f659d697c29ac7.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\954b39f45379c530b7f659d697c29ac7.exe"C:\Users\Admin\AppData\Local\Temp\954b39f45379c530b7f659d697c29ac7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1056-60-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/1056-62-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/1056-63-0x0000000000540000-0x000000000054B000-memory.dmpFilesize
44KB
-
memory/1668-64-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1668-65-0x00000000004163C6-mapping.dmp
-
memory/1668-66-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1668-68-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB