Analysis
-
max time kernel
112s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
30-03-2022 21:13
Static task
static1
Behavioral task
behavioral1
Sample
fb89d57447db2445a18842b156ede54a.exe
Resource
win7-20220311-en
General
-
Target
fb89d57447db2445a18842b156ede54a.exe
-
Size
1.6MB
-
MD5
fb89d57447db2445a18842b156ede54a
-
SHA1
69fd005c7f4da455cc16198c308c02597aeed475
-
SHA256
12dd9be4130d2815e1996e2179b5e0af874bc1bca280b455f17ff96aace7293c
-
SHA512
2dca1e302379ec0543ff4e9f8f4dc18c1ef76b758fb17823f9a6835fbfbcd1afce759719592060db1a95ba3085ed6fbb9678b364342a8b22e2c982928c2e47be
Malware Config
Extracted
redline
1
116.202.11.19:24855
-
auth_value
24b5bd5b441536b793bf4e2a4d143416
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3836-131-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
fb89d57447db2445a18842b156ede54a.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fb89d57447db2445a18842b156ede54a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fb89d57447db2445a18842b156ede54a.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Processes:
fb89d57447db2445a18842b156ede54a.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fb89d57447db2445a18842b156ede54a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fb89d57447db2445a18842b156ede54a.exedescription pid process target process PID 4340 set thread context of 3836 4340 fb89d57447db2445a18842b156ede54a.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AppLaunch.exepid process 3836 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 3836 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
fb89d57447db2445a18842b156ede54a.exedescription pid process target process PID 4340 wrote to memory of 3836 4340 fb89d57447db2445a18842b156ede54a.exe AppLaunch.exe PID 4340 wrote to memory of 3836 4340 fb89d57447db2445a18842b156ede54a.exe AppLaunch.exe PID 4340 wrote to memory of 3836 4340 fb89d57447db2445a18842b156ede54a.exe AppLaunch.exe PID 4340 wrote to memory of 3836 4340 fb89d57447db2445a18842b156ede54a.exe AppLaunch.exe PID 4340 wrote to memory of 3836 4340 fb89d57447db2445a18842b156ede54a.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb89d57447db2445a18842b156ede54a.exe"C:\Users\Admin\AppData\Local\Temp\fb89d57447db2445a18842b156ede54a.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3836-140-0x0000000005780000-0x00000000057BC000-memory.dmpFilesize
240KB
-
memory/3836-130-0x0000000000000000-mapping.dmp
-
memory/3836-147-0x0000000007AD0000-0x0000000007FFC000-memory.dmpFilesize
5.2MB
-
memory/3836-137-0x0000000005C80000-0x0000000006298000-memory.dmpFilesize
6.1MB
-
memory/3836-138-0x0000000005720000-0x0000000005732000-memory.dmpFilesize
72KB
-
memory/3836-139-0x0000000005850000-0x000000000595A000-memory.dmpFilesize
1.0MB
-
memory/3836-131-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3836-141-0x0000000005AC0000-0x0000000005B36000-memory.dmpFilesize
472KB
-
memory/3836-144-0x00000000062C0000-0x00000000062DE000-memory.dmpFilesize
120KB
-
memory/3836-143-0x0000000006850000-0x0000000006DF4000-memory.dmpFilesize
5.6MB
-
memory/3836-142-0x0000000005BE0000-0x0000000005C72000-memory.dmpFilesize
584KB
-
memory/3836-145-0x0000000006720000-0x0000000006786000-memory.dmpFilesize
408KB
-
memory/3836-146-0x00000000073D0000-0x0000000007592000-memory.dmpFilesize
1.8MB
-
memory/4340-136-0x0000000002600000-0x0000000002660000-memory.dmpFilesize
384KB