Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
02-06-2021 08:26
Static task
static1
Behavioral task
behavioral1
Sample
A4.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
A4.exe
Resource
win10v20210410
General
-
Target
A4.exe
-
Size
421KB
-
MD5
6972482b38fda49d5ea9f11bd2496909
-
SHA1
3f70b20432fa4ceb9cff4c3bd28028183d7e6fa3
-
SHA256
69e411368f9407c3c25b453792bd383fed96eb6bb6a7e9d0cf06d980add295c6
-
SHA512
364238d4e97a6811f3fa3942ce528e4fd0a0666539d881d43c7e37428dbe6a05c1fc018e873ba3d02fe0bfee6522013f361fd8c8962dad99ef4734207b71079e
Malware Config
Extracted
redline
new
45.134.225.35:7821
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4092-126-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral2/memory/4092-127-0x0000000000417306-mapping.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
A4.exedescription pid process target process PID 3172 set thread context of 4092 3172 A4.exe A4.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
A4.exepid process 3172 A4.exe 3172 A4.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
A4.exeA4.exedescription pid process Token: SeDebugPrivilege 3172 A4.exe Token: SeDebugPrivilege 4092 A4.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
A4.exedescription pid process target process PID 3172 wrote to memory of 4092 3172 A4.exe A4.exe PID 3172 wrote to memory of 4092 3172 A4.exe A4.exe PID 3172 wrote to memory of 4092 3172 A4.exe A4.exe PID 3172 wrote to memory of 4092 3172 A4.exe A4.exe PID 3172 wrote to memory of 4092 3172 A4.exe A4.exe PID 3172 wrote to memory of 4092 3172 A4.exe A4.exe PID 3172 wrote to memory of 4092 3172 A4.exe A4.exe PID 3172 wrote to memory of 4092 3172 A4.exe A4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\A4.exe"C:\Users\Admin\AppData\Local\Temp\A4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\A4.exeC:\Users\Admin\AppData\Local\Temp\A4.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\A4.exe.logMD5
413e636dfe7146f137f76ec1bd6a921d
SHA1b43f95ad87a2028c7b7bbbd6611310d1655ca449
SHA25637d9b8f70d335ace58e7f2cb4c6cbb2bacdfd75aa7c810956401b28d0ae87980
SHA51226f2288c7ac98c1054ecf5e5ccbb99148e30fa69c2f183f54acf4b059a24824990932ccbf88e3f181663729ee4b2db5efc544ed5bdcd92d0ca46eb726cea084d
-
memory/3172-114-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/3172-116-0x0000000001190000-0x000000000119C000-memory.dmpFilesize
48KB
-
memory/3172-121-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/3172-122-0x0000000005130000-0x0000000005182000-memory.dmpFilesize
328KB
-
memory/3172-125-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/4092-127-0x0000000000417306-mapping.dmp
-
memory/4092-126-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4092-131-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/4092-132-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/4092-133-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/4092-134-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/4092-135-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/4092-136-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB