Analysis
-
max time kernel
141s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-09-2021 16:15
Static task
static1
Behavioral task
behavioral1
Sample
b5fc67332e05420980a00e2e4da7ebbc.exe
Resource
win7v20210408
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
b5fc67332e05420980a00e2e4da7ebbc.exe
Resource
win10-en-20210920
0 signatures
0 seconds
General
-
Target
b5fc67332e05420980a00e2e4da7ebbc.exe
-
Size
432KB
-
MD5
b5fc67332e05420980a00e2e4da7ebbc
-
SHA1
19394812eefe2e09ba724a580a5c89309fef924d
-
SHA256
a67250f4e3194d603043d506b4bc7c6112bd61a56bf3521e1ee1d95b22a17147
-
SHA512
36d95a4a4841371604a36740a93edc916786acd87e51c402dd2031f81da5ec704aa35e1bb010d7007f8233c3973a8757a962e3c49d13d091b87a3384239e7aa7
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
lyla2109
C2
213.166.69.181:64650
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1988-63-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/1988-64-0x000000000041C5E2-mapping.dmp family_redline behavioral1/memory/1988-65-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b5fc67332e05420980a00e2e4da7ebbc.exedescription pid process target process PID 1892 set thread context of 1988 1892 b5fc67332e05420980a00e2e4da7ebbc.exe b5fc67332e05420980a00e2e4da7ebbc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b5fc67332e05420980a00e2e4da7ebbc.exedescription pid process target process PID 1892 wrote to memory of 1988 1892 b5fc67332e05420980a00e2e4da7ebbc.exe b5fc67332e05420980a00e2e4da7ebbc.exe PID 1892 wrote to memory of 1988 1892 b5fc67332e05420980a00e2e4da7ebbc.exe b5fc67332e05420980a00e2e4da7ebbc.exe PID 1892 wrote to memory of 1988 1892 b5fc67332e05420980a00e2e4da7ebbc.exe b5fc67332e05420980a00e2e4da7ebbc.exe PID 1892 wrote to memory of 1988 1892 b5fc67332e05420980a00e2e4da7ebbc.exe b5fc67332e05420980a00e2e4da7ebbc.exe PID 1892 wrote to memory of 1988 1892 b5fc67332e05420980a00e2e4da7ebbc.exe b5fc67332e05420980a00e2e4da7ebbc.exe PID 1892 wrote to memory of 1988 1892 b5fc67332e05420980a00e2e4da7ebbc.exe b5fc67332e05420980a00e2e4da7ebbc.exe PID 1892 wrote to memory of 1988 1892 b5fc67332e05420980a00e2e4da7ebbc.exe b5fc67332e05420980a00e2e4da7ebbc.exe PID 1892 wrote to memory of 1988 1892 b5fc67332e05420980a00e2e4da7ebbc.exe b5fc67332e05420980a00e2e4da7ebbc.exe PID 1892 wrote to memory of 1988 1892 b5fc67332e05420980a00e2e4da7ebbc.exe b5fc67332e05420980a00e2e4da7ebbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5fc67332e05420980a00e2e4da7ebbc.exe"C:\Users\Admin\AppData\Local\Temp\b5fc67332e05420980a00e2e4da7ebbc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b5fc67332e05420980a00e2e4da7ebbc.exeC:\Users\Admin\AppData\Local\Temp\b5fc67332e05420980a00e2e4da7ebbc.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1892-60-0x0000000000B80000-0x0000000000B81000-memory.dmpFilesize
4KB
-
memory/1892-62-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/1988-63-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1988-64-0x000000000041C5E2-mapping.dmp
-
memory/1988-65-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1988-67-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB