Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    16-12-2021 13:23

General

  • Target

    a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe

  • Size

    473KB

  • MD5

    67152b967be7058c9d7bc02353b342eb

  • SHA1

    38b63764e9be58180353cbb206f13a6668bcb9d4

  • SHA256

    a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f

  • SHA512

    87abe65d91fd7724bbd15a1008658ccf54a350370c107b2f69f42f6b105a4d0d54ff1adcf2e34a1988cd71f51a1710328d4a16cbfbf6b0fc567e51aeee1322ab

Malware Config

Extracted

Family

redline

Botnet

Siski

C2

109.248.201.17:34060

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe
    "C:\Users\Admin\AppData\Local\Temp\a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3764
    • C:\Users\Admin\AppData\Local\Temp\a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe
      C:\Users\Admin\AppData\Local\Temp\a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe
      2⤵
        PID:3888
      • C:\Users\Admin\AppData\Local\Temp\a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe
        C:\Users\Admin\AppData\Local\Temp\a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe
        2⤵
          PID:1348
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 160
            3⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:924

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1348-119-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

      • memory/1348-120-0x000000000041932A-mapping.dmp
      • memory/3764-115-0x0000000000D40000-0x0000000000D41000-memory.dmp
        Filesize

        4KB

      • memory/3764-118-0x0000000005500000-0x0000000005501000-memory.dmp
        Filesize

        4KB

      • memory/3764-117-0x00000000057C0000-0x00000000057C1000-memory.dmp
        Filesize

        4KB