Analysis
-
max time kernel
310s -
max time network
348s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 12:09
Static task
static1
Behavioral task
behavioral1
Sample
Installer.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Installer.exe
Resource
win10v2004-20220414-en
General
-
Target
Installer.exe
-
Size
586.3MB
-
MD5
56cae4e535bb14d5b699a1f3b3a372f0
-
SHA1
8e085dc03bc975c10ebe2076962c17f8bd369e98
-
SHA256
f919ca0a5c6bff30ebed640b411b8a1a73350497fdd6087e1a24f7d9648724bf
-
SHA512
37e9233427fd3c990d637e406c58430319d6c6d10798ebdff25e81dccca32e5620e6dca44937adea7263888562e02c2488f04e2578e4b70bdf08a4b8053ba6fd
Malware Config
Extracted
redline
777
89.22.227.140:31288
-
auth_value
e42115cf07e73321acdde5e388b0aef9
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4948-133-0x0000000000740000-0x0000000000760000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
pumpal109061.exepid process 2664 pumpal109061.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Installer.exedescription pid process target process PID 2628 set thread context of 4948 2628 Installer.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 4948 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Installer.exevbc.exedescription pid process Token: SeDebugPrivilege 2628 Installer.exe Token: SeDebugPrivilege 4948 vbc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Installer.exevbc.exedescription pid process target process PID 2628 wrote to memory of 4948 2628 Installer.exe vbc.exe PID 2628 wrote to memory of 4948 2628 Installer.exe vbc.exe PID 2628 wrote to memory of 4948 2628 Installer.exe vbc.exe PID 2628 wrote to memory of 4948 2628 Installer.exe vbc.exe PID 2628 wrote to memory of 4948 2628 Installer.exe vbc.exe PID 2628 wrote to memory of 4948 2628 Installer.exe vbc.exe PID 2628 wrote to memory of 4948 2628 Installer.exe vbc.exe PID 2628 wrote to memory of 4948 2628 Installer.exe vbc.exe PID 4948 wrote to memory of 2664 4948 vbc.exe pumpal109061.exe PID 4948 wrote to memory of 2664 4948 vbc.exe pumpal109061.exe PID 4948 wrote to memory of 2664 4948 vbc.exe pumpal109061.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pumpal109061.exe"C:\Users\Admin\AppData\Local\Temp\pumpal109061.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pumpal109061.exeFilesize
26.7MB
MD5430a7adec2ef4c9e34c0c4227bb528e4
SHA1c8ef475c554111721f1f7cdb6a9669ba54b0e21e
SHA2561cb689eceebad2a2a866f014d34671772482ca5701ac5de88a3cc358aa5d7a9d
SHA51201f6ba2b5c5fdae41538a7fd5bf049da80d5235a9b8dba3e86da12c0841ea4d16ea86db342cd0d506f15da0cc2732b4ed66eb91e1f14691c394d30a99c8ae77c
-
C:\Users\Admin\AppData\Local\Temp\pumpal109061.exeFilesize
26.1MB
MD5eae6bce4e34635df0cdf91cd45f4a3c0
SHA12c385044d852d5b28f113965693dff38d9f78d0d
SHA256338d014fb2628f3a04dc9c02f43d3a7f6c6bc57427a64f7c56acf70c98a4bbfa
SHA512b7f3b0564c6ea03976da00ceed115ec21c2e1c0f8b18f3667e31db49425658a82de9483c89148d9fc3721339a44d8efee804da79eeaba2bc5352d1dffbf644ef
-
memory/2628-130-0x0000000000630000-0x0000000000690000-memory.dmpFilesize
384KB
-
memory/2664-146-0x0000000000000000-mapping.dmp
-
memory/4948-139-0x0000000005750000-0x00000000057E2000-memory.dmpFilesize
584KB
-
memory/4948-142-0x0000000005BC0000-0x0000000005C26000-memory.dmpFilesize
408KB
-
memory/4948-137-0x0000000004C30000-0x0000000004C6C000-memory.dmpFilesize
240KB
-
memory/4948-138-0x0000000004FC0000-0x0000000005036000-memory.dmpFilesize
472KB
-
memory/4948-135-0x0000000004BD0000-0x0000000004BE2000-memory.dmpFilesize
72KB
-
memory/4948-140-0x0000000005DA0000-0x0000000006344000-memory.dmpFilesize
5.6MB
-
memory/4948-141-0x00000000050B0000-0x00000000050CE000-memory.dmpFilesize
120KB
-
memory/4948-136-0x0000000004D00000-0x0000000004E0A000-memory.dmpFilesize
1.0MB
-
memory/4948-143-0x0000000006720000-0x00000000068E2000-memory.dmpFilesize
1.8MB
-
memory/4948-144-0x0000000006E20000-0x000000000734C000-memory.dmpFilesize
5.2MB
-
memory/4948-145-0x00000000066A0000-0x00000000066F0000-memory.dmpFilesize
320KB
-
memory/4948-134-0x0000000005130000-0x0000000005748000-memory.dmpFilesize
6.1MB
-
memory/4948-133-0x0000000000740000-0x0000000000760000-memory.dmpFilesize
128KB
-
memory/4948-131-0x0000000000000000-mapping.dmp