Analysis
-
max time kernel
139s -
max time network
200s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
06-07-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
5af2d4f23b526022e3446bf28928983a.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
5af2d4f23b526022e3446bf28928983a.exe
Resource
win10v20210410
General
-
Target
5af2d4f23b526022e3446bf28928983a.exe
-
Size
547KB
-
MD5
5af2d4f23b526022e3446bf28928983a
-
SHA1
efcb1386b7d4ef0d92df1456434dd38cbd30ff2a
-
SHA256
a5a1d72b8d7045cf92e3fc39b72cf251a015464f1f7920aa028b341d3f646ee8
-
SHA512
0e942d17469ba7e9714a36144ba2ebdcaf25122449249e238e28c17e6c130c5c855992f29b95d96b45f3235a1cca84f21b1761f33d28e2ffc0292675d02e030b
Malware Config
Extracted
redline
777
193.188.21.24:21977
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1284-64-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1284-65-0x0000000000417E96-mapping.dmp family_redline behavioral1/memory/1284-66-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5af2d4f23b526022e3446bf28928983a.exedescription pid process target process PID 856 set thread context of 1284 856 5af2d4f23b526022e3446bf28928983a.exe 5af2d4f23b526022e3446bf28928983a.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5af2d4f23b526022e3446bf28928983a.exe5af2d4f23b526022e3446bf28928983a.exedescription pid process Token: SeDebugPrivilege 856 5af2d4f23b526022e3446bf28928983a.exe Token: SeDebugPrivilege 1284 5af2d4f23b526022e3446bf28928983a.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5af2d4f23b526022e3446bf28928983a.exedescription pid process target process PID 856 wrote to memory of 1284 856 5af2d4f23b526022e3446bf28928983a.exe 5af2d4f23b526022e3446bf28928983a.exe PID 856 wrote to memory of 1284 856 5af2d4f23b526022e3446bf28928983a.exe 5af2d4f23b526022e3446bf28928983a.exe PID 856 wrote to memory of 1284 856 5af2d4f23b526022e3446bf28928983a.exe 5af2d4f23b526022e3446bf28928983a.exe PID 856 wrote to memory of 1284 856 5af2d4f23b526022e3446bf28928983a.exe 5af2d4f23b526022e3446bf28928983a.exe PID 856 wrote to memory of 1284 856 5af2d4f23b526022e3446bf28928983a.exe 5af2d4f23b526022e3446bf28928983a.exe PID 856 wrote to memory of 1284 856 5af2d4f23b526022e3446bf28928983a.exe 5af2d4f23b526022e3446bf28928983a.exe PID 856 wrote to memory of 1284 856 5af2d4f23b526022e3446bf28928983a.exe 5af2d4f23b526022e3446bf28928983a.exe PID 856 wrote to memory of 1284 856 5af2d4f23b526022e3446bf28928983a.exe 5af2d4f23b526022e3446bf28928983a.exe PID 856 wrote to memory of 1284 856 5af2d4f23b526022e3446bf28928983a.exe 5af2d4f23b526022e3446bf28928983a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5af2d4f23b526022e3446bf28928983a.exe"C:\Users\Admin\AppData\Local\Temp\5af2d4f23b526022e3446bf28928983a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5af2d4f23b526022e3446bf28928983a.exeC:\Users\Admin\AppData\Local\Temp\5af2d4f23b526022e3446bf28928983a.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/856-60-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/856-62-0x00000000006B0000-0x00000000006E3000-memory.dmpFilesize
204KB
-
memory/856-63-0x00000000020C0000-0x00000000020C1000-memory.dmpFilesize
4KB
-
memory/1284-64-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1284-65-0x0000000000417E96-mapping.dmp
-
memory/1284-66-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1284-68-0x00000000042D0000-0x00000000042D1000-memory.dmpFilesize
4KB