Analysis
-
max time kernel
74s -
max time network
100s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-06-2022 20:39
Static task
static1
Behavioral task
behavioral1
Sample
__1000.png.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
__1000.png.exe
Resource
win10v2004-20220414-en
General
-
Target
__1000.png.exe
-
Size
1.2MB
-
MD5
926ee43e282b9774b710501c4fff41c7
-
SHA1
4d8ebd4ac62c70e0e42d17b62a3051c686ece7df
-
SHA256
3b38378d0b57fc75646c350f286d53ad0d7a15ebd4d103374e2e2301758ab442
-
SHA512
9f338257255e53dc215fba6845af5a3cac39028be945481c514dd3393783a2be5f0d858ddbfba7b5716c8d62cf97870beaf467313db859ce93c601ae56c85257
Malware Config
Extracted
redline
2
45.142.122.179:36803
-
auth_value
8b4fd9f885203719dec0ceda822a4ec3
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
__1000.png.exedescription pid process target process PID 1180 set thread context of 1468 1180 __1000.png.exe InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
__1000.png.exeInstallUtil.exepid process 1180 __1000.png.exe 1180 __1000.png.exe 1180 __1000.png.exe 1180 __1000.png.exe 1180 __1000.png.exe 1468 InstallUtil.exe 1468 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
InstallUtil.exedescription pid process Token: SeDebugPrivilege 1468 InstallUtil.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
__1000.png.exedescription pid process target process PID 1180 wrote to memory of 1468 1180 __1000.png.exe InstallUtil.exe PID 1180 wrote to memory of 1468 1180 __1000.png.exe InstallUtil.exe PID 1180 wrote to memory of 1468 1180 __1000.png.exe InstallUtil.exe PID 1180 wrote to memory of 1468 1180 __1000.png.exe InstallUtil.exe PID 1180 wrote to memory of 1468 1180 __1000.png.exe InstallUtil.exe PID 1180 wrote to memory of 1468 1180 __1000.png.exe InstallUtil.exe PID 1180 wrote to memory of 1468 1180 __1000.png.exe InstallUtil.exe PID 1180 wrote to memory of 1468 1180 __1000.png.exe InstallUtil.exe PID 1180 wrote to memory of 1468 1180 __1000.png.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\__1000.png.exe"C:\Users\Admin\AppData\Local\Temp\__1000.png.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1180-54-0x0000000000800000-0x0000000000AC3000-memory.dmpFilesize
2.8MB
-
memory/1180-55-0x0000000000800000-0x0000000000941000-memory.dmpFilesize
1.3MB
-
memory/1180-56-0x0000000000800000-0x0000000000941000-memory.dmpFilesize
1.3MB
-
memory/1180-57-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/1180-58-0x000000000B3C0000-0x000000000B4CC000-memory.dmpFilesize
1.0MB
-
memory/1180-63-0x0000000000800000-0x0000000000941000-memory.dmpFilesize
1.3MB
-
memory/1468-59-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1468-61-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1468-64-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1468-66-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB