Analysis

  • max time kernel
    91s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-04-2022 10:57

General

  • Target

    StartGame.exe

  • Size

    1MB

  • MD5

    25c21aab69d1e63b0c9c60475b802bfd

  • SHA1

    c3821a2f7e19ad83b867be99a43d56980f30640b

  • SHA256

    cd0f9aa670c5bad5db2db4c3b98dca1449863b827a5c83a9f7891a60d97d2363

  • SHA512

    d41fee747cd5e90a79c5d0bdf510f2aee8d5c1d680541b8c4ed9b7d4f5d83c4192eb5b5600ac286e38f4d8a9fd59e6793a7b08e6a9aee030ac7978fbe902441a

Malware Config

Extracted

Family

redline

Botnet

1

C2

65.108.3.162:19747

Attributes
auth_value
95517c2a2f56575288c35d9dfde4a6aa

Signatures 7

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload ⋅ 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting ⋅ 2 TTPs
  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 1 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 5 IoCs

Processes 2

  • C:\Users\Admin\AppData\Local\Temp\StartGame.exe
    "C:\Users\Admin\AppData\Local\Temp\StartGame.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1364

Network

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

      Discovery

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                    Privilege Escalation

                      Replay Monitor

                      00:00 00:00

                      Downloads

                      • memory/1364-141-0x00000000059A0000-0x00000000059DC000-memory.dmp
                      • memory/1364-143-0x0000000005DD0000-0x0000000005E62000-memory.dmp
                      • memory/1364-133-0x0000000000400000-0x0000000000420000-memory.dmp
                      • memory/1364-138-0x0000000005EA0000-0x00000000064B8000-memory.dmp
                      • memory/1364-139-0x0000000005900000-0x0000000005912000-memory.dmp
                      • memory/1364-140-0x0000000005A30000-0x0000000005B3A000-memory.dmp
                      • memory/1364-132-0x0000000000000000-mapping.dmp
                      • memory/1364-142-0x0000000006A70000-0x0000000007014000-memory.dmp
                      • memory/1364-149-0x00000000075A0000-0x00000000075F0000-memory.dmp
                      • memory/1364-144-0x00000000064C0000-0x0000000006536000-memory.dmp
                      • memory/1364-145-0x0000000005E80000-0x0000000005E9E000-memory.dmp
                      • memory/1364-146-0x0000000006920000-0x0000000006986000-memory.dmp
                      • memory/1364-147-0x00000000075F0000-0x00000000077B2000-memory.dmp
                      • memory/1364-148-0x0000000008070000-0x000000000859C000-memory.dmp
                      • memory/4416-130-0x0000000000560000-0x0000000000732000-memory.dmp