Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-07-2022 21:28
Static task
static1
Behavioral task
behavioral1
Sample
2d4c6d3afba4eeee3895c60c42be285e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2d4c6d3afba4eeee3895c60c42be285e.exe
Resource
win10v2004-20220414-en
General
-
Target
2d4c6d3afba4eeee3895c60c42be285e.exe
-
Size
1.3MB
-
MD5
2d4c6d3afba4eeee3895c60c42be285e
-
SHA1
4a9951869b11d9393365507422bbbeee9ed282a8
-
SHA256
9afc87589b3c76f6c50238294539f53eb38a51f61b7d38db4637582f6b168692
-
SHA512
d7347c8ecb2773abd32e9edb1e8606057751ffc82f5659014f830d8287fa1784b398cf84b1974d45077c05997ced9cfe5ca3b6f0e68ee50af376c582db11f37d
Malware Config
Extracted
redline
185.106.92.20:33168
-
auth_value
473a7a67f3a5b581eee05af44809068a
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
2d4c6d3afba4eeee3895c60c42be285e.exedescription pid process target process PID 664 set thread context of 345264 664 2d4c6d3afba4eeee3895c60c42be285e.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 345308 664 WerFault.exe 2d4c6d3afba4eeee3895c60c42be285e.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 345264 AppLaunch.exe 345264 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 345264 AppLaunch.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
2d4c6d3afba4eeee3895c60c42be285e.exedescription pid process target process PID 664 wrote to memory of 345264 664 2d4c6d3afba4eeee3895c60c42be285e.exe AppLaunch.exe PID 664 wrote to memory of 345264 664 2d4c6d3afba4eeee3895c60c42be285e.exe AppLaunch.exe PID 664 wrote to memory of 345264 664 2d4c6d3afba4eeee3895c60c42be285e.exe AppLaunch.exe PID 664 wrote to memory of 345264 664 2d4c6d3afba4eeee3895c60c42be285e.exe AppLaunch.exe PID 664 wrote to memory of 345264 664 2d4c6d3afba4eeee3895c60c42be285e.exe AppLaunch.exe PID 664 wrote to memory of 345264 664 2d4c6d3afba4eeee3895c60c42be285e.exe AppLaunch.exe PID 664 wrote to memory of 345264 664 2d4c6d3afba4eeee3895c60c42be285e.exe AppLaunch.exe PID 664 wrote to memory of 345264 664 2d4c6d3afba4eeee3895c60c42be285e.exe AppLaunch.exe PID 664 wrote to memory of 345264 664 2d4c6d3afba4eeee3895c60c42be285e.exe AppLaunch.exe PID 664 wrote to memory of 345308 664 2d4c6d3afba4eeee3895c60c42be285e.exe WerFault.exe PID 664 wrote to memory of 345308 664 2d4c6d3afba4eeee3895c60c42be285e.exe WerFault.exe PID 664 wrote to memory of 345308 664 2d4c6d3afba4eeee3895c60c42be285e.exe WerFault.exe PID 664 wrote to memory of 345308 664 2d4c6d3afba4eeee3895c60c42be285e.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d4c6d3afba4eeee3895c60c42be285e.exe"C:\Users\Admin\AppData\Local\Temp\2d4c6d3afba4eeee3895c60c42be285e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 3439042⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/345264-54-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/345264-56-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/345264-61-0x000000000041816E-mapping.dmp
-
memory/345264-62-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/345264-63-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/345264-64-0x0000000075FC1000-0x0000000075FC3000-memory.dmpFilesize
8KB
-
memory/345308-65-0x0000000000000000-mapping.dmp