Analysis
-
max time kernel
41s -
max time network
40s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-04-2021 21:01
Static task
static1
Behavioral task
behavioral1
Sample
3fa383ee84580d83880217fd61449698.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
3fa383ee84580d83880217fd61449698.exe
-
Size
418KB
-
MD5
3fa383ee84580d83880217fd61449698
-
SHA1
aa78a35156892e68d6a0e93ff3f34c30faea0c1f
-
SHA256
08fa32b60c3a2d7c71e3be07021113e25eb9d13a79b34734f69efb341a88604f
-
SHA512
4b41615d89efe3cf63f680481e09003d67716c7b45c4ad3d02944e720a900008db166c5bc604f1dacbc5b6c0231b008c2825ceaf89408866a3223c18c038d265
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
v1
C2
199.195.251.96:43073
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1548-63-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral1/memory/1548-64-0x000000000041622A-mapping.dmp family_redline behavioral1/memory/1548-65-0x0000000000400000-0x000000000041C000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
3fa383ee84580d83880217fd61449698.exedescription pid process target process PID 1684 set thread context of 1548 1684 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AddInProcess32.exepid process 1548 AddInProcess32.exe 1548 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3fa383ee84580d83880217fd61449698.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 1684 3fa383ee84580d83880217fd61449698.exe Token: SeDebugPrivilege 1548 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3fa383ee84580d83880217fd61449698.exedescription pid process target process PID 1684 wrote to memory of 1548 1684 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 1684 wrote to memory of 1548 1684 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 1684 wrote to memory of 1548 1684 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 1684 wrote to memory of 1548 1684 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 1684 wrote to memory of 1548 1684 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 1684 wrote to memory of 1548 1684 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 1684 wrote to memory of 1548 1684 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 1684 wrote to memory of 1548 1684 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 1684 wrote to memory of 1548 1684 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fa383ee84580d83880217fd61449698.exe"C:\Users\Admin\AppData\Local\Temp\3fa383ee84580d83880217fd61449698.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1548-63-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1548-64-0x000000000041622A-mapping.dmp
-
memory/1548-65-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1548-67-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/1684-59-0x00000000010F0000-0x00000000010F1000-memory.dmpFilesize
4KB
-
memory/1684-61-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/1684-62-0x00000000009F0000-0x00000000009FB000-memory.dmpFilesize
44KB