Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
15-10-2021 21:54
Static task
static1
Behavioral task
behavioral1
Sample
Mopes Hack.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Mopes Hack.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
Mopes Hack.exe
-
Size
326KB
-
MD5
83e60135c26872fa756fcb26553be6cb
-
SHA1
3df616b4b4df6faba9373f78dac9a277c07cb26a
-
SHA256
e4331c8eab3a20db74f66603fac6ff6a3faca677176a4015dea2a4665fb3f13f
-
SHA512
10834fa839db185629dfce92da2334d4c69dc05041ee045c08610085febeebac054f6c5b64e5a1e259ca06144e6bdc0a91a56acbba130dd6e0aeeb8cfbb67b26
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
@silistrii_LZT
C2
arujuyrana.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1760-55-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/1760-60-0x000000000041B246-mapping.dmp family_redline behavioral1/memory/1760-61-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/1760-62-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Mopes Hack.exedescription pid process target process PID 1548 set thread context of 1760 1548 Mopes Hack.exe AppLaunch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Mopes Hack.exedescription pid process target process PID 1548 wrote to memory of 1760 1548 Mopes Hack.exe AppLaunch.exe PID 1548 wrote to memory of 1760 1548 Mopes Hack.exe AppLaunch.exe PID 1548 wrote to memory of 1760 1548 Mopes Hack.exe AppLaunch.exe PID 1548 wrote to memory of 1760 1548 Mopes Hack.exe AppLaunch.exe PID 1548 wrote to memory of 1760 1548 Mopes Hack.exe AppLaunch.exe PID 1548 wrote to memory of 1760 1548 Mopes Hack.exe AppLaunch.exe PID 1548 wrote to memory of 1760 1548 Mopes Hack.exe AppLaunch.exe PID 1548 wrote to memory of 1760 1548 Mopes Hack.exe AppLaunch.exe PID 1548 wrote to memory of 1760 1548 Mopes Hack.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mopes Hack.exe"C:\Users\Admin\AppData\Local\Temp\Mopes Hack.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1760-54-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1760-55-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1760-60-0x000000000041B246-mapping.dmp
-
memory/1760-61-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1760-62-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1760-63-0x00000000768A1000-0x00000000768A3000-memory.dmpFilesize
8KB
-
memory/1760-64-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/1760-66-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB