Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en -
submitted
14/09/2021, 22:39
Static task
static1
Behavioral task
behavioral1
Sample
e4a200fc3da152d2b8c48f6e19b8ec97.exe
Resource
win7v20210408
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
e4a200fc3da152d2b8c48f6e19b8ec97.exe
Resource
win10-en
0 signatures
0 seconds
General
-
Target
e4a200fc3da152d2b8c48f6e19b8ec97.exe
-
Size
787KB
-
MD5
e4a200fc3da152d2b8c48f6e19b8ec97
-
SHA1
6104b851cccad3628b12d4ca136b8f364bbd3d35
-
SHA256
95d29f64d0106c91070bcd511f78f6cf29d35cdb8cbbd97cfdfdcf61e422b4da
-
SHA512
d704391d9a566a889398af1d119e46aecfa9421802cb14785847a64d4848874f2b65aed132d955f624a848fead5b2cb48a9805c90d5df2e230064775f6f015ea
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
cheat
C2
172.31.9.183:29120
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral2/memory/3164-125-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral2/memory/3164-126-0x000000000041932E-mapping.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3548 set thread context of 3164 3548 e4a200fc3da152d2b8c48f6e19b8ec97.exe 69 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3164 e4a200fc3da152d2b8c48f6e19b8ec97.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3548 wrote to memory of 3164 3548 e4a200fc3da152d2b8c48f6e19b8ec97.exe 69 PID 3548 wrote to memory of 3164 3548 e4a200fc3da152d2b8c48f6e19b8ec97.exe 69 PID 3548 wrote to memory of 3164 3548 e4a200fc3da152d2b8c48f6e19b8ec97.exe 69 PID 3548 wrote to memory of 3164 3548 e4a200fc3da152d2b8c48f6e19b8ec97.exe 69 PID 3548 wrote to memory of 3164 3548 e4a200fc3da152d2b8c48f6e19b8ec97.exe 69 PID 3548 wrote to memory of 3164 3548 e4a200fc3da152d2b8c48f6e19b8ec97.exe 69 PID 3548 wrote to memory of 3164 3548 e4a200fc3da152d2b8c48f6e19b8ec97.exe 69 PID 3548 wrote to memory of 3164 3548 e4a200fc3da152d2b8c48f6e19b8ec97.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4a200fc3da152d2b8c48f6e19b8ec97.exe"C:\Users\Admin\AppData\Local\Temp\e4a200fc3da152d2b8c48f6e19b8ec97.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\e4a200fc3da152d2b8c48f6e19b8ec97.exe"C:\Users\Admin\AppData\Local\Temp\e4a200fc3da152d2b8c48f6e19b8ec97.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164
-