Analysis
-
max time kernel
103s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-07-2022 22:17
Static task
static1
Behavioral task
behavioral1
Sample
16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe
Resource
win10-20220414-en
General
-
Target
16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe
-
Size
1.6MB
-
MD5
172b15079b00399010648f9474f8e0b6
-
SHA1
931da4fc406d9242a298e86fb818eed29bff8047
-
SHA256
16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261
-
SHA512
8e0912393441a0e5863b5097943de3d099d2b3f3f32c1425a524fe2c5f61caffe3887f7c9c14fb9b0cdded5357174001dc3307c817c80a6a4566715a588874e8
Malware Config
Extracted
redline
SUBZERO
185.215.113.217:19618
-
auth_value
019ff2a82025cde517e4466362191205
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1248-65-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1248-67-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1248-69-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exedescription pid process target process PID 836 set thread context of 1248 836 16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exepid process 836 16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe 836 16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe 836 16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe 836 16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe 836 16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
InstallUtil.exedescription pid process Token: SeDebugPrivilege 1248 InstallUtil.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exedescription pid process target process PID 836 wrote to memory of 1248 836 16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe InstallUtil.exe PID 836 wrote to memory of 1248 836 16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe InstallUtil.exe PID 836 wrote to memory of 1248 836 16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe InstallUtil.exe PID 836 wrote to memory of 1248 836 16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe InstallUtil.exe PID 836 wrote to memory of 1248 836 16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe InstallUtil.exe PID 836 wrote to memory of 1248 836 16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe InstallUtil.exe PID 836 wrote to memory of 1248 836 16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe InstallUtil.exe PID 836 wrote to memory of 1248 836 16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe InstallUtil.exe PID 836 wrote to memory of 1248 836 16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe"C:\Users\Admin\AppData\Local\Temp\16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/836-60-0x0000000075381000-0x0000000075383000-memory.dmpFilesize
8KB
-
memory/836-54-0x0000000002050000-0x000000000257E000-memory.dmpFilesize
5.2MB
-
memory/836-56-0x0000000002580000-0x00000000026C7000-memory.dmpFilesize
1.3MB
-
memory/836-57-0x0000000002580000-0x00000000026C7000-memory.dmpFilesize
1.3MB
-
memory/836-58-0x0000000002050000-0x000000000257E000-memory.dmpFilesize
5.2MB
-
memory/836-59-0x0000000002580000-0x00000000026C7000-memory.dmpFilesize
1.3MB
-
memory/836-55-0x0000000002050000-0x000000000257E000-memory.dmpFilesize
5.2MB
-
memory/836-61-0x000000000B470000-0x000000000B59F000-memory.dmpFilesize
1.2MB
-
memory/836-70-0x0000000002580000-0x00000000026C7000-memory.dmpFilesize
1.3MB
-
memory/836-62-0x000000000B470000-0x000000000B59F000-memory.dmpFilesize
1.2MB
-
memory/1248-63-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1248-67-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1248-69-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1248-65-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB