Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 15:40
Static task
static1
Behavioral task
behavioral1
Sample
95029e00a50b60c370c4fcdc60cb0b6d.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
95029e00a50b60c370c4fcdc60cb0b6d.exe
Resource
win10-en-20210920
General
-
Target
95029e00a50b60c370c4fcdc60cb0b6d.exe
-
Size
656KB
-
MD5
95029e00a50b60c370c4fcdc60cb0b6d
-
SHA1
c4d156c2f55fae1cc834e5f0a455d7804dc005eb
-
SHA256
46364afc53eb092dd409e8b31aa2bac984388678baef9154a8dac3d2aee58bfd
-
SHA512
8fa4ddc75198894f8e6bffef5331b3b98c759cdc6ee60333d66db5084b0b16981d9d7f20ec41c0988152275c33853ab31882648be4ea7f3b332d591ef634ae60
Malware Config
Extracted
redline
itit
185.213.211.110:35105
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3440-124-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral2/memory/3440-125-0x000000000041B23E-mapping.dmp family_redline behavioral2/memory/3440-133-0x0000000004F10000-0x0000000005516000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
95029e00a50b60c370c4fcdc60cb0b6d.exedescription pid process target process PID 2640 set thread context of 3440 2640 95029e00a50b60c370c4fcdc60cb0b6d.exe RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
95029e00a50b60c370c4fcdc60cb0b6d.exedescription pid process target process PID 2640 wrote to memory of 3440 2640 95029e00a50b60c370c4fcdc60cb0b6d.exe RegSvcs.exe PID 2640 wrote to memory of 3440 2640 95029e00a50b60c370c4fcdc60cb0b6d.exe RegSvcs.exe PID 2640 wrote to memory of 3440 2640 95029e00a50b60c370c4fcdc60cb0b6d.exe RegSvcs.exe PID 2640 wrote to memory of 3440 2640 95029e00a50b60c370c4fcdc60cb0b6d.exe RegSvcs.exe PID 2640 wrote to memory of 3440 2640 95029e00a50b60c370c4fcdc60cb0b6d.exe RegSvcs.exe PID 2640 wrote to memory of 3440 2640 95029e00a50b60c370c4fcdc60cb0b6d.exe RegSvcs.exe PID 2640 wrote to memory of 3440 2640 95029e00a50b60c370c4fcdc60cb0b6d.exe RegSvcs.exe PID 2640 wrote to memory of 3440 2640 95029e00a50b60c370c4fcdc60cb0b6d.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\95029e00a50b60c370c4fcdc60cb0b6d.exe"C:\Users\Admin\AppData\Local\Temp\95029e00a50b60c370c4fcdc60cb0b6d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2640-115-0x0000000000F10000-0x0000000000F11000-memory.dmpFilesize
4KB
-
memory/2640-117-0x0000000005C80000-0x0000000005C81000-memory.dmpFilesize
4KB
-
memory/2640-118-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/2640-119-0x0000000005780000-0x0000000005C7E000-memory.dmpFilesize
5.0MB
-
memory/2640-120-0x0000000005800000-0x0000000005801000-memory.dmpFilesize
4KB
-
memory/2640-121-0x0000000005A00000-0x0000000005A07000-memory.dmpFilesize
28KB
-
memory/2640-122-0x0000000006560000-0x0000000006561000-memory.dmpFilesize
4KB
-
memory/2640-123-0x0000000006520000-0x000000000655E000-memory.dmpFilesize
248KB
-
memory/3440-124-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/3440-125-0x000000000041B23E-mapping.dmp
-
memory/3440-128-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/3440-129-0x0000000002A00000-0x0000000002A01000-memory.dmpFilesize
4KB
-
memory/3440-130-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/3440-131-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/3440-132-0x0000000004F90000-0x0000000004F91000-memory.dmpFilesize
4KB
-
memory/3440-133-0x0000000004F10000-0x0000000005516000-memory.dmpFilesize
6.0MB