Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-06-2022 16:15
Static task
static1
Behavioral task
behavioral1
Sample
70.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
70.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
70.exe
-
Size
295KB
-
MD5
d5a4071b7a2b6f45c5178f636bfa1b93
-
SHA1
89f57ed6b2659e21bdc10c4e7d80efb339d13b3a
-
SHA256
bd7bdf1fe2307d49c71109ee8a7759b1919bccf1f0e6ee3daa76cf3834d7e3be
-
SHA512
35d5e7f58fef352d1ed74fbd22fb4da226e0fbc46324ecc34475bd0ee16ce8ab006d165e52d5444c77f4f14abd6a724dcf121dba47e1db9ccf94360394db9e66
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
1
C2
89.22.227.236:22009
Attributes
-
auth_value
2a9c7589a4287e8852c51a7124d88669
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1012-131-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
70.exedescription pid process target process PID 3124 set thread context of 1012 3124 70.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4168 3124 WerFault.exe 70.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
70.exedescription pid process target process PID 3124 wrote to memory of 1012 3124 70.exe AppLaunch.exe PID 3124 wrote to memory of 1012 3124 70.exe AppLaunch.exe PID 3124 wrote to memory of 1012 3124 70.exe AppLaunch.exe PID 3124 wrote to memory of 1012 3124 70.exe AppLaunch.exe PID 3124 wrote to memory of 1012 3124 70.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70.exe"C:\Users\Admin\AppData\Local\Temp\70.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 4042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3124 -ip 31241⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1012-131-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1012-130-0x0000000000000000-mapping.dmp
-
memory/1012-137-0x00000000053B0000-0x00000000059C8000-memory.dmpFilesize
6.1MB
-
memory/1012-138-0x0000000004E40000-0x0000000004E52000-memory.dmpFilesize
72KB
-
memory/1012-139-0x0000000004F70000-0x000000000507A000-memory.dmpFilesize
1.0MB
-
memory/1012-140-0x0000000004EA0000-0x0000000004EDC000-memory.dmpFilesize
240KB
-
memory/3124-136-0x0000000000DBF000-0x0000000000DC1000-memory.dmpFilesize
8KB