Analysis

  • max time kernel
    42s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-05-2022 08:13

General

  • Target

    1212-65-0x00000000004A0000-0x00000000004C0000-memory.exe

  • Size

    128KB

  • MD5

    77b49c81d784041d22770dbfeba1c7a8

  • SHA1

    226bbfa4106903b2abd5258570a50015735470dd

  • SHA256

    c0c4c8b30747f29c680f7ce6dac8440f526cdddcb800ef69a6c2cd44077af2dc

  • SHA512

    e2e3869e577372f911a03eb36012acf708dc19f4f8592e99a478cfc11791980e5465bc222ed21e873d49193cb2aae30e3477d4da4269512733cda5d2ab2b032d

Malware Config

Extracted

Family

redline

Botnet

Install

C2

176.10.119.117:27038

Attributes
  • auth_value

    701b6467f584b2d5c52fa31ecce6761d

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1212-65-0x00000000004A0000-0x00000000004C0000-memory.exe
    "C:\Users\Admin\AppData\Local\Temp\1212-65-0x00000000004A0000-0x00000000004C0000-memory.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 504
      2⤵
      • Program crash
      PID:896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/896-55-0x0000000000000000-mapping.dmp
  • memory/1880-54-0x0000000001190000-0x00000000011B0000-memory.dmp
    Filesize

    128KB