Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-07-2022 22:26
Static task
static1
Behavioral task
behavioral1
Sample
098c9b9b367660132eec3df473f29d2f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
098c9b9b367660132eec3df473f29d2f.exe
Resource
win10v2004-20220414-en
General
-
Target
098c9b9b367660132eec3df473f29d2f.exe
-
Size
2.4MB
-
MD5
098c9b9b367660132eec3df473f29d2f
-
SHA1
132619d5e3f88b7d96c6b6ee0167a9907cf22abf
-
SHA256
4589222780e929e9d982ba839f37881d7861bcc07afb3c4e93acf0c20da8934e
-
SHA512
bdc1497e606c13802992742007ec209c257c7366ec3d702b8fdf38e2b7290e197804802689643afb0a39079fc642a9853dcab865dd88e4996ecce32a9a20857f
Malware Config
Extracted
redline
213.226.123.155:2014
-
auth_value
be2205f654abe3ef15343bc67642db4e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/209820-56-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/209820-61-0x000000000041B4DE-mapping.dmp family_redline behavioral1/memory/209820-62-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/209820-63-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
Installer.exepid process 1732 Installer.exe -
Loads dropped DLL 1 IoCs
Processes:
AppLaunch.exepid process 209820 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
098c9b9b367660132eec3df473f29d2f.exedescription pid process target process PID 1336 set thread context of 209820 1336 098c9b9b367660132eec3df473f29d2f.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exeInstaller.exepid process 209820 AppLaunch.exe 1732 Installer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AppLaunch.exeInstaller.exedescription pid process Token: SeDebugPrivilege 209820 AppLaunch.exe Token: SeDebugPrivilege 1732 Installer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
098c9b9b367660132eec3df473f29d2f.exeAppLaunch.exedescription pid process target process PID 1336 wrote to memory of 209820 1336 098c9b9b367660132eec3df473f29d2f.exe AppLaunch.exe PID 1336 wrote to memory of 209820 1336 098c9b9b367660132eec3df473f29d2f.exe AppLaunch.exe PID 1336 wrote to memory of 209820 1336 098c9b9b367660132eec3df473f29d2f.exe AppLaunch.exe PID 1336 wrote to memory of 209820 1336 098c9b9b367660132eec3df473f29d2f.exe AppLaunch.exe PID 1336 wrote to memory of 209820 1336 098c9b9b367660132eec3df473f29d2f.exe AppLaunch.exe PID 1336 wrote to memory of 209820 1336 098c9b9b367660132eec3df473f29d2f.exe AppLaunch.exe PID 1336 wrote to memory of 209820 1336 098c9b9b367660132eec3df473f29d2f.exe AppLaunch.exe PID 1336 wrote to memory of 209820 1336 098c9b9b367660132eec3df473f29d2f.exe AppLaunch.exe PID 1336 wrote to memory of 209820 1336 098c9b9b367660132eec3df473f29d2f.exe AppLaunch.exe PID 209820 wrote to memory of 1732 209820 AppLaunch.exe Installer.exe PID 209820 wrote to memory of 1732 209820 AppLaunch.exe Installer.exe PID 209820 wrote to memory of 1732 209820 AppLaunch.exe Installer.exe PID 209820 wrote to memory of 1732 209820 AppLaunch.exe Installer.exe PID 209820 wrote to memory of 1732 209820 AppLaunch.exe Installer.exe PID 209820 wrote to memory of 1732 209820 AppLaunch.exe Installer.exe PID 209820 wrote to memory of 1732 209820 AppLaunch.exe Installer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\098c9b9b367660132eec3df473f29d2f.exe"C:\Users\Admin\AppData\Local\Temp\098c9b9b367660132eec3df473f29d2f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Installer.exeFilesize
82KB
MD50759cd1397dbd963689019c7ef994df8
SHA1b9c0f77040e2ed3065329aa89f7420e68fef6194
SHA25642fbf11d75c5fa3895a269c62e0a23d8cc6856bef6a36c2dce81deac589b286a
SHA51210996b4f98af36456b9f41a488711854123b776d5b130f8db48d9589ea7e5cccde2d7f0eabaf00f7e201dbf52878dbc1c29242f9f35acb4e6f59b80862e83331
-
C:\Users\Admin\AppData\Local\Temp\Installer.exeFilesize
82KB
MD50759cd1397dbd963689019c7ef994df8
SHA1b9c0f77040e2ed3065329aa89f7420e68fef6194
SHA25642fbf11d75c5fa3895a269c62e0a23d8cc6856bef6a36c2dce81deac589b286a
SHA51210996b4f98af36456b9f41a488711854123b776d5b130f8db48d9589ea7e5cccde2d7f0eabaf00f7e201dbf52878dbc1c29242f9f35acb4e6f59b80862e83331
-
\Users\Admin\AppData\Local\Temp\Installer.exeFilesize
82KB
MD50759cd1397dbd963689019c7ef994df8
SHA1b9c0f77040e2ed3065329aa89f7420e68fef6194
SHA25642fbf11d75c5fa3895a269c62e0a23d8cc6856bef6a36c2dce81deac589b286a
SHA51210996b4f98af36456b9f41a488711854123b776d5b130f8db48d9589ea7e5cccde2d7f0eabaf00f7e201dbf52878dbc1c29242f9f35acb4e6f59b80862e83331
-
memory/1732-66-0x0000000000000000-mapping.dmp
-
memory/1732-70-0x0000000000970000-0x000000000098E000-memory.dmpFilesize
120KB
-
memory/209820-54-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/209820-56-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/209820-61-0x000000000041B4DE-mapping.dmp
-
memory/209820-62-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/209820-63-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/209820-64-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB