Analysis
-
max time kernel
28s -
max time network
29s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-04-2021 16:23
Static task
static1
Behavioral task
behavioral1
Sample
297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe
Resource
win10v20210410
General
-
Target
297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe
-
Size
1.3MB
-
MD5
5117da426fe56ffdde2c13745ff6b46b
-
SHA1
9327d4fd989a2f3681043af4c7809e0e693bd929
-
SHA256
297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f
-
SHA512
53e1328a253cdf2d9298a0055e85ceb8a7d37e901a5eb5a679453a6fc6bf3496025edd2c73fb5edb3721a53bf02ccf44edfc09068a43a60ba2ced6d4e8b5de26
Malware Config
Extracted
redline
45.139.236.56:8734
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1512-63-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral1/memory/1512-64-0x000000000041653E-mapping.dmp family_redline behavioral1/memory/1512-65-0x0000000000400000-0x000000000041C000-memory.dmp family_redline -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1612-62-0x0000000001EF0000-0x0000000001EFB000-memory.dmp agile_net -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exedescription pid process target process PID 1612 set thread context of 1512 1612 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AddInProcess32.exepid process 1512 AddInProcess32.exe 1512 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 1612 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe Token: SeDebugPrivilege 1512 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exedescription pid process target process PID 1612 wrote to memory of 1512 1612 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe PID 1612 wrote to memory of 1512 1612 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe PID 1612 wrote to memory of 1512 1612 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe PID 1612 wrote to memory of 1512 1612 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe PID 1612 wrote to memory of 1512 1612 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe PID 1612 wrote to memory of 1512 1612 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe PID 1612 wrote to memory of 1512 1612 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe PID 1612 wrote to memory of 1512 1612 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe PID 1612 wrote to memory of 1512 1612 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe"C:\Users\Admin\AppData\Local\Temp\297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1512-63-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1512-64-0x000000000041653E-mapping.dmp
-
memory/1512-65-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1512-67-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/1612-59-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1612-61-0x00000000042B0000-0x00000000042B1000-memory.dmpFilesize
4KB
-
memory/1612-62-0x0000000001EF0000-0x0000000001EFB000-memory.dmpFilesize
44KB