Analysis
-
max time kernel
123s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
15-10-2021 21:36
Static task
static1
Behavioral task
behavioral1
Sample
Valorant Skin Changer.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Valorant Skin Changer.exe
Resource
win10-en-20211014
General
-
Target
Valorant Skin Changer.exe
-
Size
322KB
-
MD5
1b2ce585b75dd6ac4252f0c5d81bcc47
-
SHA1
9c3f77550af38239cd96c487c3c81dab612fe2be
-
SHA256
0b1f550d5ca453918a4677958e69fe850951123f3bc78650ba2c98fcf6683fb5
-
SHA512
b84997aa754233c5f838e8131b35d2cdc2133b3cd2e86e44f5a8e7a5bc1ee495137f1b58076006c3a2d141b5bbd3c0889d08a93a7d520a158463fbccf7c0301c
Malware Config
Extracted
redline
@Joindsa
164.132.202.45:20588
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4072-115-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral2/memory/4072-120-0x000000000041C74E-mapping.dmp family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4336 created 5072 4336 WerFault.exe Valorant Skin Changer.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
fl.exeservices32.exesihost32.exepid process 4492 fl.exe 2856 services32.exe 4952 sihost32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Valorant Skin Changer.exedescription pid process target process PID 5072 set thread context of 4072 5072 Valorant Skin Changer.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4336 5072 WerFault.exe Valorant Skin Changer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
WerFault.exeAppLaunch.execonhost.execonhost.exepid process 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4072 AppLaunch.exe 1220 conhost.exe 1756 conhost.exe 1756 conhost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
WerFault.exeAppLaunch.execonhost.execonhost.exedescription pid process Token: SeRestorePrivilege 4336 WerFault.exe Token: SeBackupPrivilege 4336 WerFault.exe Token: SeDebugPrivilege 4336 WerFault.exe Token: SeDebugPrivilege 4072 AppLaunch.exe Token: SeDebugPrivilege 1220 conhost.exe Token: SeDebugPrivilege 1756 conhost.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
Valorant Skin Changer.exeAppLaunch.exefl.execonhost.execmd.execmd.exeservices32.execonhost.exesihost32.exedescription pid process target process PID 5072 wrote to memory of 4072 5072 Valorant Skin Changer.exe AppLaunch.exe PID 5072 wrote to memory of 4072 5072 Valorant Skin Changer.exe AppLaunch.exe PID 5072 wrote to memory of 4072 5072 Valorant Skin Changer.exe AppLaunch.exe PID 5072 wrote to memory of 4072 5072 Valorant Skin Changer.exe AppLaunch.exe PID 5072 wrote to memory of 4072 5072 Valorant Skin Changer.exe AppLaunch.exe PID 4072 wrote to memory of 4492 4072 AppLaunch.exe fl.exe PID 4072 wrote to memory of 4492 4072 AppLaunch.exe fl.exe PID 4492 wrote to memory of 1220 4492 fl.exe conhost.exe PID 4492 wrote to memory of 1220 4492 fl.exe conhost.exe PID 4492 wrote to memory of 1220 4492 fl.exe conhost.exe PID 1220 wrote to memory of 2016 1220 conhost.exe cmd.exe PID 1220 wrote to memory of 2016 1220 conhost.exe cmd.exe PID 2016 wrote to memory of 4460 2016 cmd.exe schtasks.exe PID 2016 wrote to memory of 4460 2016 cmd.exe schtasks.exe PID 1220 wrote to memory of 2320 1220 conhost.exe cmd.exe PID 1220 wrote to memory of 2320 1220 conhost.exe cmd.exe PID 2320 wrote to memory of 2856 2320 cmd.exe services32.exe PID 2320 wrote to memory of 2856 2320 cmd.exe services32.exe PID 2856 wrote to memory of 1756 2856 services32.exe conhost.exe PID 2856 wrote to memory of 1756 2856 services32.exe conhost.exe PID 2856 wrote to memory of 1756 2856 services32.exe conhost.exe PID 1756 wrote to memory of 4952 1756 conhost.exe sihost32.exe PID 1756 wrote to memory of 4952 1756 conhost.exe sihost32.exe PID 4952 wrote to memory of 4188 4952 sihost32.exe conhost.exe PID 4952 wrote to memory of 4188 4952 sihost32.exe conhost.exe PID 4952 wrote to memory of 4188 4952 sihost32.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Valorant Skin Changer.exe"C:\Users\Admin\AppData\Local\Temp\Valorant Skin Changer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fl.exe"C:\Users\Admin\AppData\Local\Temp\fl.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\fl.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\AppData\Local\Temp\services32.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\AppData\Local\Temp\services32.exe"6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services32.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\services32.exeC:\Users\Admin\AppData\Local\Temp\services32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services32.exe"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "/sihost32"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 2442⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logMD5
84f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
C:\Users\Admin\AppData\Local\Temp\fl.exeMD5
481cc004b81afcb1ec10bb9985cc402b
SHA186fcf5d85033fcd857c865df4fa1da51b6d53bf5
SHA256589dcfea6f854dbc578b8fb3a4e65217137630f93cae05e3248942821947c02a
SHA512d31d699551c0d24f86b690f27f9ee07c1778bedb008c40fd7422accfece2ceae089fa2b4508607afd2af8da5fe9f45d0be43911859cc90885b6b6876c45d5fc0
-
C:\Users\Admin\AppData\Local\Temp\fl.exeMD5
481cc004b81afcb1ec10bb9985cc402b
SHA186fcf5d85033fcd857c865df4fa1da51b6d53bf5
SHA256589dcfea6f854dbc578b8fb3a4e65217137630f93cae05e3248942821947c02a
SHA512d31d699551c0d24f86b690f27f9ee07c1778bedb008c40fd7422accfece2ceae089fa2b4508607afd2af8da5fe9f45d0be43911859cc90885b6b6876c45d5fc0
-
C:\Users\Admin\AppData\Local\Temp\services32.exeMD5
481cc004b81afcb1ec10bb9985cc402b
SHA186fcf5d85033fcd857c865df4fa1da51b6d53bf5
SHA256589dcfea6f854dbc578b8fb3a4e65217137630f93cae05e3248942821947c02a
SHA512d31d699551c0d24f86b690f27f9ee07c1778bedb008c40fd7422accfece2ceae089fa2b4508607afd2af8da5fe9f45d0be43911859cc90885b6b6876c45d5fc0
-
C:\Users\Admin\AppData\Local\Temp\services32.exeMD5
481cc004b81afcb1ec10bb9985cc402b
SHA186fcf5d85033fcd857c865df4fa1da51b6d53bf5
SHA256589dcfea6f854dbc578b8fb3a4e65217137630f93cae05e3248942821947c02a
SHA512d31d699551c0d24f86b690f27f9ee07c1778bedb008c40fd7422accfece2ceae089fa2b4508607afd2af8da5fe9f45d0be43911859cc90885b6b6876c45d5fc0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
46b4b994c1ec2e58cb03932f462b9cd0
SHA1bff08dd95b4d7d35fd2642611b2ec2c63904a289
SHA25632f1a2ac794252d3abab03963d67e14209c47b951d9ddcd81fd1b5f820087ed9
SHA512264fae64ecb324229f5c1864775f4454dd233eaa5a4d9244278bda6e2e231d49e6a673eaec9c4b847dfb6e1fe9f98c6168d3f44d06a9ba2f7fbfc691fc1e4363
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
46b4b994c1ec2e58cb03932f462b9cd0
SHA1bff08dd95b4d7d35fd2642611b2ec2c63904a289
SHA25632f1a2ac794252d3abab03963d67e14209c47b951d9ddcd81fd1b5f820087ed9
SHA512264fae64ecb324229f5c1864775f4454dd233eaa5a4d9244278bda6e2e231d49e6a673eaec9c4b847dfb6e1fe9f98c6168d3f44d06a9ba2f7fbfc691fc1e4363
-
memory/1220-427-0x000002BE59A56000-0x000002BE59A57000-memory.dmpFilesize
4KB
-
memory/1220-425-0x000002BE59A50000-0x000002BE59A52000-memory.dmpFilesize
8KB
-
memory/1220-426-0x000002BE59A53000-0x000002BE59A55000-memory.dmpFilesize
8KB
-
memory/1220-424-0x000002BE3F1D0000-0x000002BE3F3C0000-memory.dmpFilesize
1.9MB
-
memory/1756-458-0x000001ECC4C76000-0x000001ECC4C77000-memory.dmpFilesize
4KB
-
memory/1756-456-0x000001ECC4C70000-0x000001ECC4C72000-memory.dmpFilesize
8KB
-
memory/1756-457-0x000001ECC4C73000-0x000001ECC4C75000-memory.dmpFilesize
8KB
-
memory/2016-431-0x0000000000000000-mapping.dmp
-
memory/2320-433-0x0000000000000000-mapping.dmp
-
memory/2856-435-0x0000000000000000-mapping.dmp
-
memory/4072-131-0x0000000008D00000-0x0000000008D01000-memory.dmpFilesize
4KB
-
memory/4072-138-0x000000000A960000-0x000000000A961000-memory.dmpFilesize
4KB
-
memory/4072-144-0x000000000A210000-0x000000000A211000-memory.dmpFilesize
4KB
-
memory/4072-157-0x000000000C540000-0x000000000C541000-memory.dmpFilesize
4KB
-
memory/4072-126-0x0000000009210000-0x0000000009211000-memory.dmpFilesize
4KB
-
memory/4072-123-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB
-
memory/4072-122-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB
-
memory/4072-127-0x0000000008C40000-0x0000000008C41000-memory.dmpFilesize
4KB
-
memory/4072-124-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/4072-129-0x0000000008C00000-0x0000000009206000-memory.dmpFilesize
6.0MB
-
memory/4072-142-0x000000000A240000-0x000000000A241000-memory.dmpFilesize
4KB
-
memory/4072-141-0x0000000009F00000-0x0000000009F01000-memory.dmpFilesize
4KB
-
memory/4072-128-0x0000000008D70000-0x0000000008D71000-memory.dmpFilesize
4KB
-
memory/4072-143-0x000000000A360000-0x000000000A361000-memory.dmpFilesize
4KB
-
memory/4072-137-0x000000000A430000-0x000000000A431000-memory.dmpFilesize
4KB
-
memory/4072-121-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB
-
memory/4072-115-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/4072-120-0x000000000041C74E-mapping.dmp
-
memory/4072-130-0x0000000008CC0000-0x0000000008CC1000-memory.dmpFilesize
4KB
-
memory/4072-136-0x0000000009D30000-0x0000000009D31000-memory.dmpFilesize
4KB
-
memory/4072-132-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB
-
memory/4188-468-0x00000299F76E0000-0x00000299F76E2000-memory.dmpFilesize
8KB
-
memory/4188-467-0x00000299F5AA0000-0x00000299F5AA6000-memory.dmpFilesize
24KB
-
memory/4188-469-0x00000299F76E3000-0x00000299F76E5000-memory.dmpFilesize
8KB
-
memory/4188-470-0x00000299F76E6000-0x00000299F76E7000-memory.dmpFilesize
4KB
-
memory/4460-432-0x0000000000000000-mapping.dmp
-
memory/4492-412-0x0000000000000000-mapping.dmp
-
memory/4952-452-0x0000000000000000-mapping.dmp