Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
24-11-2021 02:34
Static task
static1
Behavioral task
behavioral1
Sample
bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe
Resource
win10-en-20211104
General
-
Target
bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe
-
Size
396KB
-
MD5
093cdb435c4003e1a7d4269e332730a1
-
SHA1
c8cff0231c22d5285a73f03b7624b4c60d79b820
-
SHA256
bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613
-
SHA512
9df903c6e990c2f253f82aa9f618f9cfbdead034d34a4cbfdf1fb08f36ceaeb65041faa1fbf17fee972d15a577269aec400cc9ce948041cb7bc77cc04d39ffb8
Malware Config
Extracted
redline
135.181.245.89:24368
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2616-126-0x0000000000418EEA-mapping.dmp family_redline behavioral1/memory/2616-125-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exedescription pid process target process PID 2580 set thread context of 2616 2580 bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exepid process 2580 bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe 2580 bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exedescription pid process Token: SeDebugPrivilege 2580 bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exedescription pid process target process PID 2580 wrote to memory of 2616 2580 bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe PID 2580 wrote to memory of 2616 2580 bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe PID 2580 wrote to memory of 2616 2580 bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe PID 2580 wrote to memory of 2616 2580 bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe PID 2580 wrote to memory of 2616 2580 bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe PID 2580 wrote to memory of 2616 2580 bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe PID 2580 wrote to memory of 2616 2580 bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe PID 2580 wrote to memory of 2616 2580 bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe"C:\Users\Admin\AppData\Local\Temp\bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exeC:\Users\Admin\AppData\Local\Temp\bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe.logMD5
daa436d058b25bdde9e2d6fe53c6ccf6
SHA13fc5d1eab28db05865915d8f6d9ecf85d9cc1d9e
SHA256afb0ed8659b214fe4251a87a1c0a362c123363497fbd50737c1ae36a9376c4cd
SHA51284f13582070ae4a3a9bb5e4b29620e659c258ab282e43e9bfa50528c08aae875d8c33cf3647fbb1253102af39b89f3b97f316e62f544355cc9c379e04fba960a
-
memory/2580-120-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/2580-121-0x00000000058B0000-0x0000000005901000-memory.dmpFilesize
324KB
-
memory/2580-122-0x00000000059A0000-0x00000000059A1000-memory.dmpFilesize
4KB
-
memory/2580-123-0x0000000005F10000-0x0000000005F11000-memory.dmpFilesize
4KB
-
memory/2580-124-0x0000000005A80000-0x0000000005A98000-memory.dmpFilesize
96KB
-
memory/2580-118-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/2616-126-0x0000000000418EEA-mapping.dmp
-
memory/2616-125-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2616-130-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/2616-131-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/2616-132-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/2616-133-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/2616-134-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/2616-135-0x0000000005050000-0x0000000005656000-memory.dmpFilesize
6.0MB