Analysis
-
max time kernel
42s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-05-2022 08:13
Behavioral task
behavioral1
Sample
1212-65-0x00000000004A0000-0x00000000004C0000-memory.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1212-65-0x00000000004A0000-0x00000000004C0000-memory.exe
Resource
win10v2004-20220414-en
General
-
Target
1212-65-0x00000000004A0000-0x00000000004C0000-memory.exe
-
Size
128KB
-
MD5
77b49c81d784041d22770dbfeba1c7a8
-
SHA1
226bbfa4106903b2abd5258570a50015735470dd
-
SHA256
c0c4c8b30747f29c680f7ce6dac8440f526cdddcb800ef69a6c2cd44077af2dc
-
SHA512
e2e3869e577372f911a03eb36012acf708dc19f4f8592e99a478cfc11791980e5465bc222ed21e873d49193cb2aae30e3477d4da4269512733cda5d2ab2b032d
Malware Config
Extracted
redline
Install
176.10.119.117:27038
-
auth_value
701b6467f584b2d5c52fa31ecce6761d
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1880-54-0x0000000001190000-0x00000000011B0000-memory.dmp family_redline -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 896 1880 WerFault.exe 1212-65-0x00000000004A0000-0x00000000004C0000-memory.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1212-65-0x00000000004A0000-0x00000000004C0000-memory.exedescription pid process target process PID 1880 wrote to memory of 896 1880 1212-65-0x00000000004A0000-0x00000000004C0000-memory.exe WerFault.exe PID 1880 wrote to memory of 896 1880 1212-65-0x00000000004A0000-0x00000000004C0000-memory.exe WerFault.exe PID 1880 wrote to memory of 896 1880 1212-65-0x00000000004A0000-0x00000000004C0000-memory.exe WerFault.exe PID 1880 wrote to memory of 896 1880 1212-65-0x00000000004A0000-0x00000000004C0000-memory.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1212-65-0x00000000004A0000-0x00000000004C0000-memory.exe"C:\Users\Admin\AppData\Local\Temp\1212-65-0x00000000004A0000-0x00000000004C0000-memory.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 5042⤵
- Program crash