Analysis
-
max time kernel
4294180s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
23-03-2022 04:44
Static task
static1
Behavioral task
behavioral1
Sample
62434278.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
62434278.exe
Resource
win10v2004-20220310-en
General
-
Target
62434278.exe
-
Size
4.0MB
-
MD5
a9dcb01f21ef3159226eb0c179d26767
-
SHA1
31606eecdbb999c83908e3ac9cb3b64c43923992
-
SHA256
7dd0e4164bf63cdd163874c0f58e165362de6f109c2d750150c877f3018108c2
-
SHA512
5c7a4a6846514dd8eb3498d89a9d28519c6220654670c02e18aec2a6c28ad64db338c1a202052bb83c3f3d221c2ec2b713bd59705d35efaec21e7e331e9f4919
Malware Config
Extracted
redline
@JABKA9983
92.255.85.137:41320
-
auth_value
507a0c408947972b94cf44475f601269
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/712-59-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/712-64-0x000000000041908A-mapping.dmp family_redline behavioral1/memory/712-66-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/712-65-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
62434278.exedescription pid process target process PID 792 set thread context of 712 792 62434278.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AppLaunch.exepid process 712 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 712 AppLaunch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
62434278.exedescription pid process target process PID 792 wrote to memory of 712 792 62434278.exe AppLaunch.exe PID 792 wrote to memory of 712 792 62434278.exe AppLaunch.exe PID 792 wrote to memory of 712 792 62434278.exe AppLaunch.exe PID 792 wrote to memory of 712 792 62434278.exe AppLaunch.exe PID 792 wrote to memory of 712 792 62434278.exe AppLaunch.exe PID 792 wrote to memory of 712 792 62434278.exe AppLaunch.exe PID 792 wrote to memory of 712 792 62434278.exe AppLaunch.exe PID 792 wrote to memory of 712 792 62434278.exe AppLaunch.exe PID 792 wrote to memory of 712 792 62434278.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62434278.exe"C:\Users\Admin\AppData\Local\Temp\62434278.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/712-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/712-57-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/712-64-0x000000000041908A-mapping.dmp
-
memory/712-66-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/712-65-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/712-67-0x0000000076AC1000-0x0000000076AC3000-memory.dmpFilesize
8KB
-
memory/792-54-0x0000000000400000-0x0000000000891000-memory.dmpFilesize
4.6MB
-
memory/792-55-0x0000000000360000-0x00000000003C0000-memory.dmpFilesize
384KB
-
memory/792-56-0x0000000000400000-0x0000000000891000-memory.dmpFilesize
4.6MB