Analysis
-
max time kernel
134s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 17:07
Static task
static1
Behavioral task
behavioral1
Sample
440c6427f359554d5152d93dbb272cc2.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
440c6427f359554d5152d93dbb272cc2.exe
Resource
win10-en-20210920
General
-
Target
440c6427f359554d5152d93dbb272cc2.exe
-
Size
416KB
-
MD5
440c6427f359554d5152d93dbb272cc2
-
SHA1
1be9b53d33272b3730bf564d1f2b39119cfb7c78
-
SHA256
63a34871b484152dce8b02ce232207e288049a55ff148d0eee8d7571842d40ab
-
SHA512
23e14a24c21a89c0222ab2b6a8ae77be7ff788abfa1b1ed3377723ec49d8b0969e84f26142abe564f2eb20ae6986b70f0ba885af394762bae2e383301fd3c2f8
Malware Config
Extracted
redline
Teslalogs
91.206.14.151:50125
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1868-120-0x00000000003D0000-0x00000000003F2000-memory.dmp family_redline behavioral2/memory/1868-125-0x00000000003EC5EA-mapping.dmp family_redline behavioral2/memory/1868-132-0x00000000049E0000-0x0000000004FE6000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
440c6427f359554d5152d93dbb272cc2.exedescription pid process target process PID 3712 set thread context of 1868 3712 440c6427f359554d5152d93dbb272cc2.exe RegSvcs.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
440c6427f359554d5152d93dbb272cc2.exedescription pid process target process PID 3712 wrote to memory of 1868 3712 440c6427f359554d5152d93dbb272cc2.exe RegSvcs.exe PID 3712 wrote to memory of 1868 3712 440c6427f359554d5152d93dbb272cc2.exe RegSvcs.exe PID 3712 wrote to memory of 1868 3712 440c6427f359554d5152d93dbb272cc2.exe RegSvcs.exe PID 3712 wrote to memory of 1868 3712 440c6427f359554d5152d93dbb272cc2.exe RegSvcs.exe PID 3712 wrote to memory of 1868 3712 440c6427f359554d5152d93dbb272cc2.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\440c6427f359554d5152d93dbb272cc2.exe"C:\Users\Admin\AppData\Local\Temp\440c6427f359554d5152d93dbb272cc2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1868-129-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/1868-128-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/1868-133-0x0000000004B00000-0x0000000004B01000-memory.dmpFilesize
4KB
-
memory/1868-132-0x00000000049E0000-0x0000000004FE6000-memory.dmpFilesize
6.0MB
-
memory/1868-131-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/1868-120-0x00000000003D0000-0x00000000003F2000-memory.dmpFilesize
136KB
-
memory/1868-126-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/1868-125-0x00000000003EC5EA-mapping.dmp
-
memory/1868-130-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/3712-115-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/3712-116-0x00000000013C0000-0x0000000001434000-memory.dmpFilesize
464KB
-
memory/3712-119-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/3712-118-0x0000000074CF0000-0x0000000074EB2000-memory.dmpFilesize
1.8MB
-
memory/3712-117-0x00000000011C0000-0x0000000001203000-memory.dmpFilesize
268KB