Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
13-06-2022 07:05
Static task
static1
Behavioral task
behavioral1
Sample
b375ee623bea4699cb7b5018a78c91d9.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b375ee623bea4699cb7b5018a78c91d9.exe
Resource
win10v2004-20220414-en
General
-
Target
b375ee623bea4699cb7b5018a78c91d9.exe
-
Size
715KB
-
MD5
b375ee623bea4699cb7b5018a78c91d9
-
SHA1
ecc84cee43aa4daa7b5a474e59182f3fe02cc633
-
SHA256
37e057a9cf268da296c33ea6e935d1008b018cc51752143618577b3b9a2a26ee
-
SHA512
79e36ba2774cd56ebce9e3e9e6f7ff759d90df1117adb2bcb5831471c9eedd6b949ef2f30bb91c2e7dc4ac23a30caf6955faa81adba8000921cbddcc1ad86417
Malware Config
Extracted
redline
76
139.99.32.83:43199
-
auth_value
44d461325298129ed3c705440f57962c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4880-132-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b375ee623bea4699cb7b5018a78c91d9.exedescription pid process target process PID 3960 set thread context of 4880 3960 b375ee623bea4699cb7b5018a78c91d9.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2000 3960 WerFault.exe b375ee623bea4699cb7b5018a78c91d9.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AppLaunch.exepid process 4880 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 4880 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
b375ee623bea4699cb7b5018a78c91d9.exedescription pid process target process PID 3960 wrote to memory of 4880 3960 b375ee623bea4699cb7b5018a78c91d9.exe AppLaunch.exe PID 3960 wrote to memory of 4880 3960 b375ee623bea4699cb7b5018a78c91d9.exe AppLaunch.exe PID 3960 wrote to memory of 4880 3960 b375ee623bea4699cb7b5018a78c91d9.exe AppLaunch.exe PID 3960 wrote to memory of 4880 3960 b375ee623bea4699cb7b5018a78c91d9.exe AppLaunch.exe PID 3960 wrote to memory of 4880 3960 b375ee623bea4699cb7b5018a78c91d9.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b375ee623bea4699cb7b5018a78c91d9.exe"C:\Users\Admin\AppData\Local\Temp\b375ee623bea4699cb7b5018a78c91d9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 3802⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3960 -ip 39601⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3960-137-0x00000000011AC000-0x00000000011AE000-memory.dmpFilesize
8KB
-
memory/3960-130-0x00000000011AC000-0x00000000011B1000-memory.dmpFilesize
20KB
-
memory/4880-142-0x00000000066C0000-0x0000000006C64000-memory.dmpFilesize
5.6MB
-
memory/4880-143-0x0000000006110000-0x00000000061A2000-memory.dmpFilesize
584KB
-
memory/4880-138-0x0000000005AF0000-0x0000000006108000-memory.dmpFilesize
6.1MB
-
memory/4880-139-0x0000000005550000-0x0000000005562000-memory.dmpFilesize
72KB
-
memory/4880-140-0x0000000005680000-0x000000000578A000-memory.dmpFilesize
1.0MB
-
memory/4880-141-0x00000000055B0000-0x00000000055EC000-memory.dmpFilesize
240KB
-
memory/4880-131-0x0000000000000000-mapping.dmp
-
memory/4880-132-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4880-144-0x00000000061B0000-0x0000000006226000-memory.dmpFilesize
472KB
-
memory/4880-145-0x0000000005AB0000-0x0000000005ACE000-memory.dmpFilesize
120KB
-
memory/4880-146-0x00000000065A0000-0x0000000006606000-memory.dmpFilesize
408KB
-
memory/4880-147-0x0000000006660000-0x00000000066B0000-memory.dmpFilesize
320KB
-
memory/4880-148-0x0000000007E10000-0x0000000007FD2000-memory.dmpFilesize
1.8MB
-
memory/4880-149-0x0000000008510000-0x0000000008A3C000-memory.dmpFilesize
5.2MB