Analysis
-
max time kernel
90s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-06-2022 13:00
Static task
static1
Behavioral task
behavioral1
Sample
d5a4071b7a2b6f45c5178f636bfa1b93.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d5a4071b7a2b6f45c5178f636bfa1b93.exe
Resource
win10v2004-20220414-en
General
-
Target
d5a4071b7a2b6f45c5178f636bfa1b93.exe
-
Size
295KB
-
MD5
d5a4071b7a2b6f45c5178f636bfa1b93
-
SHA1
89f57ed6b2659e21bdc10c4e7d80efb339d13b3a
-
SHA256
bd7bdf1fe2307d49c71109ee8a7759b1919bccf1f0e6ee3daa76cf3834d7e3be
-
SHA512
35d5e7f58fef352d1ed74fbd22fb4da226e0fbc46324ecc34475bd0ee16ce8ab006d165e52d5444c77f4f14abd6a724dcf121dba47e1db9ccf94360394db9e66
Malware Config
Extracted
redline
1
89.22.227.236:22009
-
auth_value
2a9c7589a4287e8852c51a7124d88669
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4360-131-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
d5a4071b7a2b6f45c5178f636bfa1b93.exedescription pid process target process PID 2920 set thread context of 4360 2920 d5a4071b7a2b6f45c5178f636bfa1b93.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4996 2920 WerFault.exe d5a4071b7a2b6f45c5178f636bfa1b93.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AppLaunch.exepid process 4360 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 4360 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
d5a4071b7a2b6f45c5178f636bfa1b93.exedescription pid process target process PID 2920 wrote to memory of 4360 2920 d5a4071b7a2b6f45c5178f636bfa1b93.exe AppLaunch.exe PID 2920 wrote to memory of 4360 2920 d5a4071b7a2b6f45c5178f636bfa1b93.exe AppLaunch.exe PID 2920 wrote to memory of 4360 2920 d5a4071b7a2b6f45c5178f636bfa1b93.exe AppLaunch.exe PID 2920 wrote to memory of 4360 2920 d5a4071b7a2b6f45c5178f636bfa1b93.exe AppLaunch.exe PID 2920 wrote to memory of 4360 2920 d5a4071b7a2b6f45c5178f636bfa1b93.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5a4071b7a2b6f45c5178f636bfa1b93.exe"C:\Users\Admin\AppData\Local\Temp\d5a4071b7a2b6f45c5178f636bfa1b93.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2920 -ip 29201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4360-130-0x0000000000000000-mapping.dmp
-
memory/4360-131-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4360-136-0x00000000058E0000-0x0000000005EF8000-memory.dmpFilesize
6.1MB
-
memory/4360-137-0x0000000005370000-0x0000000005382000-memory.dmpFilesize
72KB
-
memory/4360-138-0x00000000054A0000-0x00000000055AA000-memory.dmpFilesize
1.0MB
-
memory/4360-139-0x00000000053D0000-0x000000000540C000-memory.dmpFilesize
240KB
-
memory/4360-140-0x00000000064B0000-0x0000000006A54000-memory.dmpFilesize
5.6MB
-
memory/4360-141-0x0000000005840000-0x00000000058D2000-memory.dmpFilesize
584KB
-
memory/4360-142-0x0000000005F00000-0x0000000005F66000-memory.dmpFilesize
408KB
-
memory/4360-143-0x0000000006370000-0x00000000063E6000-memory.dmpFilesize
472KB
-
memory/4360-144-0x0000000006A60000-0x0000000006A7E000-memory.dmpFilesize
120KB
-
memory/4360-145-0x0000000006D20000-0x0000000006D70000-memory.dmpFilesize
320KB
-
memory/4360-146-0x0000000007D30000-0x0000000007EF2000-memory.dmpFilesize
1.8MB
-
memory/4360-147-0x0000000008430000-0x000000000895C000-memory.dmpFilesize
5.2MB