Analysis
-
max time kernel
91s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-04-2022 10:57
Static task
static1
Behavioral task
behavioral1
Sample
StartGame.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
StartGame.exe
Resource
win10v2004-20220414-en
General
-
Target
StartGame.exe
-
Size
1MB
-
MD5
25c21aab69d1e63b0c9c60475b802bfd
-
SHA1
c3821a2f7e19ad83b867be99a43d56980f30640b
-
SHA256
cd0f9aa670c5bad5db2db4c3b98dca1449863b827a5c83a9f7891a60d97d2363
-
SHA512
d41fee747cd5e90a79c5d0bdf510f2aee8d5c1d680541b8c4ed9b7d4f5d83c4192eb5b5600ac286e38f4d8a9fd59e6793a7b08e6a9aee030ac7978fbe902441a
Malware Config
Extracted
redline
1
65.108.3.162:19747
-
auth_value
95517c2a2f56575288c35d9dfde4a6aa
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1364-133-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
StartGame.exedescription pid process target process PID 4416 set thread context of 1364 4416 StartGame.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AppLaunch.exepid process 1364 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 1364 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
StartGame.exedescription pid process target process PID 4416 wrote to memory of 1364 4416 StartGame.exe AppLaunch.exe PID 4416 wrote to memory of 1364 4416 StartGame.exe AppLaunch.exe PID 4416 wrote to memory of 1364 4416 StartGame.exe AppLaunch.exe PID 4416 wrote to memory of 1364 4416 StartGame.exe AppLaunch.exe PID 4416 wrote to memory of 1364 4416 StartGame.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\StartGame.exe"C:\Users\Admin\AppData\Local\Temp\StartGame.exe"
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Downloads
-
memory/1364-141-0x00000000059A0000-0x00000000059DC000-memory.dmpFilesize
240KB
-
memory/1364-143-0x0000000005DD0000-0x0000000005E62000-memory.dmpFilesize
584KB
-
memory/1364-133-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1364-138-0x0000000005EA0000-0x00000000064B8000-memory.dmpFilesize
6MB
-
memory/1364-139-0x0000000005900000-0x0000000005912000-memory.dmpFilesize
72KB
-
memory/1364-140-0x0000000005A30000-0x0000000005B3A000-memory.dmpFilesize
1MB
-
memory/1364-132-0x0000000000000000-mapping.dmp
-
memory/1364-142-0x0000000006A70000-0x0000000007014000-memory.dmpFilesize
5MB
-
memory/1364-149-0x00000000075A0000-0x00000000075F0000-memory.dmpFilesize
320KB
-
memory/1364-144-0x00000000064C0000-0x0000000006536000-memory.dmpFilesize
472KB
-
memory/1364-145-0x0000000005E80000-0x0000000005E9E000-memory.dmpFilesize
120KB
-
memory/1364-146-0x0000000006920000-0x0000000006986000-memory.dmpFilesize
408KB
-
memory/1364-147-0x00000000075F0000-0x00000000077B2000-memory.dmpFilesize
1MB
-
memory/1364-148-0x0000000008070000-0x000000000859C000-memory.dmpFilesize
5MB
-
memory/4416-130-0x0000000000560000-0x0000000000732000-memory.dmpFilesize
1MB