Overview

overview

10

Static

static

StartGame.exe

windows7_x64

StartGame.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-04-2022 10:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    StartGame.exe

  • Size

    1.8MB

  • MD5

    25c21aab69d1e63b0c9c60475b802bfd

  • SHA1

    c3821a2f7e19ad83b867be99a43d56980f30640b

  • SHA256

    cd0f9aa670c5bad5db2db4c3b98dca1449863b827a5c83a9f7891a60d97d2363

  • SHA512

    d41fee747cd5e90a79c5d0bdf510f2aee8d5c1d680541b8c4ed9b7d4f5d83c4192eb5b5600ac286e38f4d8a9fd59e6793a7b08e6a9aee030ac7978fbe902441a

Score
10/10
redline1infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

1

C2

65.108.3.162:19747

Attributes
  • auth_value

    95517c2a2f56575288c35d9dfde4a6aa

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\StartGame.exe
    "C:\Users\Admin\AppData\Local\Temp\StartGame.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1364-141-0x00000000059A0000-0x00000000059DC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1364-143-0x0000000005DD0000-0x0000000005E62000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1364-133-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1364-138-0x0000000005EA0000-0x00000000064B8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1364-139-0x0000000005900000-0x0000000005912000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1364-140-0x0000000005A30000-0x0000000005B3A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1364-132-0x0000000000000000-mapping.dmp
    Download
  • memory/1364-142-0x0000000006A70000-0x0000000007014000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1364-149-0x00000000075A0000-0x00000000075F0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/1364-144-0x00000000064C0000-0x0000000006536000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1364-145-0x0000000005E80000-0x0000000005E9E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1364-146-0x0000000006920000-0x0000000006986000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1364-147-0x00000000075F0000-0x00000000077B2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1364-148-0x0000000008070000-0x000000000859C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4416-130-0x0000000000560000-0x0000000000732000-memory.dmp
    Filesize

    1.8MB

    Download