Analysis
-
max time kernel
121s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-05-2022 01:23
Static task
static1
Behavioral task
behavioral1
Sample
2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
Resource
win10v2004-20220414-en
General
-
Target
2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
-
Size
798KB
-
MD5
4c274d6a3b4f39556ecd377da5492982
-
SHA1
559fcd5cfcb3477571c8a36e451375e2b0405754
-
SHA256
2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09
-
SHA512
8433324ac1a4b0ce7fd8f096a889d3b525fe80dd8faadc23439b3fe6be6d100e76c7cfc3749360b57455a50faea5a8670e6ddfb354599dca9b6b8577d8ccddf8
Malware Config
Extracted
redline
Mastif
94.103.93.226:81
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3992-136-0x0000000000400000-0x000000000042C000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exedescription pid process target process PID 4928 set thread context of 3992 4928 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 340 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exepid process 4928 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 4928 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4928 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe Token: SeDebugPrivilege 3992 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe Token: SeDebugPrivilege 340 taskkill.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.execmd.exedescription pid process target process PID 4928 wrote to memory of 856 4928 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 4928 wrote to memory of 856 4928 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 4928 wrote to memory of 856 4928 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 4928 wrote to memory of 3992 4928 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 4928 wrote to memory of 3992 4928 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 4928 wrote to memory of 3992 4928 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 4928 wrote to memory of 3992 4928 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 4928 wrote to memory of 3992 4928 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 4928 wrote to memory of 3992 4928 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 4928 wrote to memory of 3992 4928 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 4928 wrote to memory of 3992 4928 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe PID 3992 wrote to memory of 4016 3992 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe cmd.exe PID 3992 wrote to memory of 4016 3992 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe cmd.exe PID 3992 wrote to memory of 4016 3992 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe cmd.exe PID 4016 wrote to memory of 340 4016 cmd.exe taskkill.exe PID 4016 wrote to memory of 340 4016 cmd.exe taskkill.exe PID 4016 wrote to memory of 340 4016 cmd.exe taskkill.exe PID 4016 wrote to memory of 2968 4016 cmd.exe choice.exe PID 4016 wrote to memory of 2968 4016 cmd.exe choice.exe PID 4016 wrote to memory of 2968 4016 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe"C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 3992 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 39924⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe.logFilesize
507B
MD576ffb2f33cb32ade8fc862a67599e9d8
SHA1920cc4ab75b36d2f9f6e979b74db568973c49130
SHA256f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310
SHA512f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e
-
memory/340-143-0x0000000000000000-mapping.dmp
-
memory/856-134-0x0000000000000000-mapping.dmp
-
memory/2968-144-0x0000000000000000-mapping.dmp
-
memory/3992-139-0x0000000005980000-0x0000000005992000-memory.dmpFilesize
72KB
-
memory/3992-135-0x0000000000000000-mapping.dmp
-
memory/3992-136-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3992-138-0x0000000006010000-0x0000000006628000-memory.dmpFilesize
6.1MB
-
memory/3992-140-0x00000000059F0000-0x0000000005A2C000-memory.dmpFilesize
240KB
-
memory/3992-141-0x0000000005C80000-0x0000000005D8A000-memory.dmpFilesize
1.0MB
-
memory/4016-142-0x0000000000000000-mapping.dmp
-
memory/4928-133-0x0000000006640000-0x00000000066DC000-memory.dmpFilesize
624KB
-
memory/4928-130-0x0000000000EF0000-0x0000000000FB6000-memory.dmpFilesize
792KB
-
memory/4928-132-0x0000000005980000-0x0000000005A12000-memory.dmpFilesize
584KB
-
memory/4928-131-0x0000000005E50000-0x00000000063F4000-memory.dmpFilesize
5.6MB