Analysis
-
max time kernel
128s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-06-2022 16:15
Static task
static1
Behavioral task
behavioral1
Sample
70.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
70.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
70.exe
-
Size
295KB
-
MD5
d5a4071b7a2b6f45c5178f636bfa1b93
-
SHA1
89f57ed6b2659e21bdc10c4e7d80efb339d13b3a
-
SHA256
bd7bdf1fe2307d49c71109ee8a7759b1919bccf1f0e6ee3daa76cf3834d7e3be
-
SHA512
35d5e7f58fef352d1ed74fbd22fb4da226e0fbc46324ecc34475bd0ee16ce8ab006d165e52d5444c77f4f14abd6a724dcf121dba47e1db9ccf94360394db9e66
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
1
C2
89.22.227.236:22009
Attributes
-
auth_value
2a9c7589a4287e8852c51a7124d88669
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/932-56-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/932-61-0x000000000041ADD6-mapping.dmp family_redline behavioral1/memory/932-62-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/932-63-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
70.exedescription pid process target process PID 884 set thread context of 932 884 70.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1192 884 WerFault.exe 70.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
70.exedescription pid process target process PID 884 wrote to memory of 932 884 70.exe AppLaunch.exe PID 884 wrote to memory of 932 884 70.exe AppLaunch.exe PID 884 wrote to memory of 932 884 70.exe AppLaunch.exe PID 884 wrote to memory of 932 884 70.exe AppLaunch.exe PID 884 wrote to memory of 932 884 70.exe AppLaunch.exe PID 884 wrote to memory of 932 884 70.exe AppLaunch.exe PID 884 wrote to memory of 932 884 70.exe AppLaunch.exe PID 884 wrote to memory of 932 884 70.exe AppLaunch.exe PID 884 wrote to memory of 932 884 70.exe AppLaunch.exe PID 884 wrote to memory of 1192 884 70.exe WerFault.exe PID 884 wrote to memory of 1192 884 70.exe WerFault.exe PID 884 wrote to memory of 1192 884 70.exe WerFault.exe PID 884 wrote to memory of 1192 884 70.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70.exe"C:\Users\Admin\AppData\Local\Temp\70.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 1122⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/932-54-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/932-56-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/932-61-0x000000000041ADD6-mapping.dmp
-
memory/932-62-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/932-63-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/932-64-0x0000000075941000-0x0000000075943000-memory.dmpFilesize
8KB
-
memory/1192-65-0x0000000000000000-mapping.dmp