Analysis
-
max time kernel
149s -
max time network
163s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-06-2021 12:07
Static task
static1
Behavioral task
behavioral1
Sample
hBKKvc5PYJSJ.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
hBKKvc5PYJSJ.exe
Resource
win10v20210410
General
-
Target
hBKKvc5PYJSJ.exe
-
Size
178KB
-
MD5
ea64fb745ef58010d1b9d7ac80f221d0
-
SHA1
7be7c6a48ae96c8d7ef692d03c7405dea60f52a6
-
SHA256
191a6c8951aa3bc73634891e7551a229e15fd90ff0deacef8a2f3a8594d53f6d
-
SHA512
2a12518ee29836faecef01cc4660710e90ab81fb3e7080158011ea83f531bc2d0d8bc3ecf4ecb177cdee3ce0570f192628c6137ad98131706c76eb08956e8550
Malware Config
Extracted
redline
z0rm1on
185.241.61.33:16195
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2324-124-0x0000000000417326-mapping.dmp family_redline behavioral2/memory/2324-123-0x0000000000400000-0x000000000041C000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hBKKvc5PYJSJ.exedescription pid process target process PID 3016 set thread context of 2324 3016 hBKKvc5PYJSJ.exe hBKKvc5PYJSJ.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
hBKKvc5PYJSJ.exehBKKvc5PYJSJ.exedescription pid process Token: SeDebugPrivilege 3016 hBKKvc5PYJSJ.exe Token: SeDebugPrivilege 2324 hBKKvc5PYJSJ.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
hBKKvc5PYJSJ.exedescription pid process target process PID 3016 wrote to memory of 2324 3016 hBKKvc5PYJSJ.exe hBKKvc5PYJSJ.exe PID 3016 wrote to memory of 2324 3016 hBKKvc5PYJSJ.exe hBKKvc5PYJSJ.exe PID 3016 wrote to memory of 2324 3016 hBKKvc5PYJSJ.exe hBKKvc5PYJSJ.exe PID 3016 wrote to memory of 2324 3016 hBKKvc5PYJSJ.exe hBKKvc5PYJSJ.exe PID 3016 wrote to memory of 2324 3016 hBKKvc5PYJSJ.exe hBKKvc5PYJSJ.exe PID 3016 wrote to memory of 2324 3016 hBKKvc5PYJSJ.exe hBKKvc5PYJSJ.exe PID 3016 wrote to memory of 2324 3016 hBKKvc5PYJSJ.exe hBKKvc5PYJSJ.exe PID 3016 wrote to memory of 2324 3016 hBKKvc5PYJSJ.exe hBKKvc5PYJSJ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hBKKvc5PYJSJ.exe"C:\Users\Admin\AppData\Local\Temp\hBKKvc5PYJSJ.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hBKKvc5PYJSJ.exeC:\Users\Admin\AppData\Local\Temp\hBKKvc5PYJSJ.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hBKKvc5PYJSJ.exe.logMD5
4a30a8132195c1aa1a62b78676b178d9
SHA1506e6d99a2ba08c9d3553af30daaaa0fc46ae4be
SHA25671636c227625058652c089035480b7bb3e5795f3998bc9823c401029fc844a20
SHA5123272b5129525c2b8f7efb99f5a2115cf2572480ff6938ca80e63f02c52588216f861307b9ef962ba015787cae0d5a95e74ebb5fe4b35b34f1c4f3a7deac8ce09
-
memory/2324-129-0x0000000005600000-0x0000000005601000-memory.dmpFilesize
4KB
-
memory/2324-128-0x0000000005DC0000-0x0000000005DC1000-memory.dmpFilesize
4KB
-
memory/2324-133-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/2324-132-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/2324-123-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2324-131-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/2324-130-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/2324-124-0x0000000000417326-mapping.dmp
-
memory/3016-120-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/3016-116-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/3016-122-0x0000000005010000-0x0000000005019000-memory.dmpFilesize
36KB
-
memory/3016-114-0x0000000000420000-0x0000000000421000-memory.dmpFilesize
4KB
-
memory/3016-117-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/3016-121-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/3016-119-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/3016-118-0x0000000004D20000-0x000000000521E000-memory.dmpFilesize
5.0MB