Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-07-2022 17:26
General
-
Target
1c5c68369bf3d0d615edfc3d760070f7.exe
-
Size
2.4MB
-
MD5
1c5c68369bf3d0d615edfc3d760070f7
-
SHA1
ccb0d2e9f74b55b77313dbbb01024161b6ad9112
-
SHA256
a8946790919846ad03640f1ac35962e092e96ba02344a004a65eae31c7080d17
-
SHA512
082935677bc3b2277dd5d404072307f5fbeb10c3acdee601a1abef7f95a9fa61d8c4fe59d31d217ebce4c8ac7ec843b7b92a298a5eca5ce7230bf58ef49f0caa
Score
10/10
Malware Config
Extracted
Family
redline
C2
91.219.63.181:19868
Attributes
-
auth_value
f207ca59aef487891ec6fd307ac196e5
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c5c68369bf3d0d615edfc3d760070f7.exe"C:\Users\Admin\AppData\Local\Temp\1c5c68369bf3d0d615edfc3d760070f7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 3439002⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/345232-54-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/345232-56-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/345232-62-0x00000000004011D4-mapping.dmp
-
memory/345232-63-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/345232-64-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB
-
memory/345232-65-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/345280-66-0x0000000000000000-mapping.dmp
-
memory/345296-67-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/345296-68-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/345296-70-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/345296-73-0x000000000041814E-mapping.dmp
-
memory/345296-72-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/345296-75-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/345296-71-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/345296-77-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB