Analysis
-
max time kernel
71s -
max time network
80s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 01:23
Static task
static1
Behavioral task
behavioral1
Sample
2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
Resource
win10v2004-20220414-en
General
-
Target
2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
-
Size
798KB
-
MD5
4c274d6a3b4f39556ecd377da5492982
-
SHA1
559fcd5cfcb3477571c8a36e451375e2b0405754
-
SHA256
2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09
-
SHA512
8433324ac1a4b0ce7fd8f096a889d3b525fe80dd8faadc23439b3fe6be6d100e76c7cfc3749360b57455a50faea5a8670e6ddfb354599dca9b6b8577d8ccddf8
Malware Config
Extracted
redline
Mastif
94.103.93.226:81
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1716-60-0x0000000000400000-0x000000000042C000-memory.dmp family_redline behavioral1/memory/1716-61-0x0000000000400000-0x000000000042C000-memory.dmp family_redline behavioral1/memory/1716-62-0x0000000000400000-0x000000000042C000-memory.dmp family_redline behavioral1/memory/1716-63-0x0000000000427D9E-mapping.dmp family_redline behavioral1/memory/1716-65-0x0000000000400000-0x000000000042C000-memory.dmp family_redline behavioral1/memory/1716-67-0x0000000000400000-0x000000000042C000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exedescription pid process target process PID 292 set thread context of 1716 292 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 880 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1716 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe Token: SeDebugPrivilege 880 taskkill.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.execmd.exedescription pid process target process PID 292 wrote to memory of 1716 292 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 292 wrote to memory of 1716 292 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 292 wrote to memory of 1716 292 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 292 wrote to memory of 1716 292 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 292 wrote to memory of 1716 292 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 292 wrote to memory of 1716 292 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 292 wrote to memory of 1716 292 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 292 wrote to memory of 1716 292 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 292 wrote to memory of 1716 292 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 292 wrote to memory of 1716 292 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 292 wrote to memory of 1716 292 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 292 wrote to memory of 1716 292 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 1716 wrote to memory of 672 1716 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe cmd.exe PID 1716 wrote to memory of 672 1716 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe cmd.exe PID 1716 wrote to memory of 672 1716 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe cmd.exe PID 1716 wrote to memory of 672 1716 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe cmd.exe PID 672 wrote to memory of 880 672 cmd.exe taskkill.exe PID 672 wrote to memory of 880 672 cmd.exe taskkill.exe PID 672 wrote to memory of 880 672 cmd.exe taskkill.exe PID 672 wrote to memory of 880 672 cmd.exe taskkill.exe PID 672 wrote to memory of 1480 672 cmd.exe choice.exe PID 672 wrote to memory of 1480 672 cmd.exe choice.exe PID 672 wrote to memory of 1480 672 cmd.exe choice.exe PID 672 wrote to memory of 1480 672 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe"C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 1716 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 17164⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/292-54-0x0000000000C20000-0x0000000000CE6000-memory.dmpFilesize
792KB
-
memory/292-55-0x0000000000320000-0x0000000000328000-memory.dmpFilesize
32KB
-
memory/292-56-0x0000000000AB0000-0x0000000000AE4000-memory.dmpFilesize
208KB
-
memory/672-69-0x0000000000000000-mapping.dmp
-
memory/880-70-0x0000000000000000-mapping.dmp
-
memory/1480-71-0x0000000000000000-mapping.dmp
-
memory/1716-61-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1716-62-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1716-63-0x0000000000427D9E-mapping.dmp
-
memory/1716-65-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1716-67-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1716-68-0x0000000075BF1000-0x0000000075BF3000-memory.dmpFilesize
8KB
-
memory/1716-60-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1716-58-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1716-57-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB