Analysis
-
max time kernel
99s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 16:23
Static task
static1
Behavioral task
behavioral1
Sample
297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe
Resource
win10v20210410
General
-
Target
297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe
-
Size
1.3MB
-
MD5
5117da426fe56ffdde2c13745ff6b46b
-
SHA1
9327d4fd989a2f3681043af4c7809e0e693bd929
-
SHA256
297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f
-
SHA512
53e1328a253cdf2d9298a0055e85ceb8a7d37e901a5eb5a679453a6fc6bf3496025edd2c73fb5edb3721a53bf02ccf44edfc09068a43a60ba2ced6d4e8b5de26
Malware Config
Extracted
redline
45.139.236.56:8734
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1884-121-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral2/memory/1884-122-0x000000000041653E-mapping.dmp family_redline -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/2256-120-0x0000000005920000-0x000000000592B000-memory.dmp agile_net -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exedescription pid process target process PID 2256 set thread context of 1884 2256 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AddInProcess32.exepid process 1884 AddInProcess32.exe 1884 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 2256 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe Token: SeDebugPrivilege 1884 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exedescription pid process target process PID 2256 wrote to memory of 1884 2256 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe PID 2256 wrote to memory of 1884 2256 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe PID 2256 wrote to memory of 1884 2256 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe PID 2256 wrote to memory of 1884 2256 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe PID 2256 wrote to memory of 1884 2256 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe PID 2256 wrote to memory of 1884 2256 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe PID 2256 wrote to memory of 1884 2256 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe PID 2256 wrote to memory of 1884 2256 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe"C:\Users\Admin\AppData\Local\Temp\297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1884-129-0x0000000005020000-0x0000000005626000-memory.dmpFilesize
6.0MB
-
memory/1884-130-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/1884-126-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/1884-127-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/1884-125-0x0000000005630000-0x0000000005631000-memory.dmpFilesize
4KB
-
memory/1884-135-0x0000000006BB0000-0x0000000006BB1000-memory.dmpFilesize
4KB
-
memory/1884-121-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1884-122-0x000000000041653E-mapping.dmp
-
memory/1884-136-0x0000000007070000-0x0000000007071000-memory.dmpFilesize
4KB
-
memory/1884-134-0x00000000070E0000-0x00000000070E1000-memory.dmpFilesize
4KB
-
memory/1884-133-0x00000000069E0000-0x00000000069E1000-memory.dmpFilesize
4KB
-
memory/1884-128-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/2256-120-0x0000000005920000-0x000000000592B000-memory.dmpFilesize
44KB
-
memory/2256-114-0x0000000000B90000-0x0000000000B91000-memory.dmpFilesize
4KB
-
memory/2256-118-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/2256-117-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/2256-116-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/2256-119-0x00000000055D0000-0x0000000005ACE000-memory.dmpFilesize
5.0MB