Analysis
-
max time kernel
41s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-07-2022 17:50
Static task
static1
Behavioral task
behavioral1
Sample
0f679420cfdca278cc906fe0304a14cd.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0f679420cfdca278cc906fe0304a14cd.exe
Resource
win10v2004-20220414-en
General
-
Target
0f679420cfdca278cc906fe0304a14cd.exe
-
Size
2.4MB
-
MD5
0f679420cfdca278cc906fe0304a14cd
-
SHA1
5e64da534eaeee4dbae4591a1fd10d0e9e7134b6
-
SHA256
466d8ee83aa0e9197e9135b845fab890eb7ca3ad04c9060404cd9a25ab844600
-
SHA512
f0373469f21631651eb557e80e076231b3f58ab0473f7b87747d473858c2d25b2d81c14b4d49741a544d8b321cd963f6a6f35f425ef5890eda68e4de88944110
Malware Config
Extracted
redline
213.226.123.155:2014
-
auth_value
acc89c018dd09af2c4427effeca07a04
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/213252-56-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/213252-61-0x000000000041B4CE-mapping.dmp family_redline behavioral1/memory/213252-62-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/213252-63-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
Installer.exepid process 213536 Installer.exe -
Loads dropped DLL 1 IoCs
Processes:
AppLaunch.exepid process 213252 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
0f679420cfdca278cc906fe0304a14cd.exedescription pid process target process PID 948 set thread context of 213252 948 0f679420cfdca278cc906fe0304a14cd.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exeInstaller.exepid process 213252 AppLaunch.exe 213536 Installer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AppLaunch.exeInstaller.exedescription pid process Token: SeDebugPrivilege 213252 AppLaunch.exe Token: SeDebugPrivilege 213536 Installer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
0f679420cfdca278cc906fe0304a14cd.exeAppLaunch.exedescription pid process target process PID 948 wrote to memory of 213252 948 0f679420cfdca278cc906fe0304a14cd.exe AppLaunch.exe PID 948 wrote to memory of 213252 948 0f679420cfdca278cc906fe0304a14cd.exe AppLaunch.exe PID 948 wrote to memory of 213252 948 0f679420cfdca278cc906fe0304a14cd.exe AppLaunch.exe PID 948 wrote to memory of 213252 948 0f679420cfdca278cc906fe0304a14cd.exe AppLaunch.exe PID 948 wrote to memory of 213252 948 0f679420cfdca278cc906fe0304a14cd.exe AppLaunch.exe PID 948 wrote to memory of 213252 948 0f679420cfdca278cc906fe0304a14cd.exe AppLaunch.exe PID 948 wrote to memory of 213252 948 0f679420cfdca278cc906fe0304a14cd.exe AppLaunch.exe PID 948 wrote to memory of 213252 948 0f679420cfdca278cc906fe0304a14cd.exe AppLaunch.exe PID 948 wrote to memory of 213252 948 0f679420cfdca278cc906fe0304a14cd.exe AppLaunch.exe PID 213252 wrote to memory of 213536 213252 AppLaunch.exe Installer.exe PID 213252 wrote to memory of 213536 213252 AppLaunch.exe Installer.exe PID 213252 wrote to memory of 213536 213252 AppLaunch.exe Installer.exe PID 213252 wrote to memory of 213536 213252 AppLaunch.exe Installer.exe PID 213252 wrote to memory of 213536 213252 AppLaunch.exe Installer.exe PID 213252 wrote to memory of 213536 213252 AppLaunch.exe Installer.exe PID 213252 wrote to memory of 213536 213252 AppLaunch.exe Installer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f679420cfdca278cc906fe0304a14cd.exe"C:\Users\Admin\AppData\Local\Temp\0f679420cfdca278cc906fe0304a14cd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Installer.exeFilesize
82KB
MD50759cd1397dbd963689019c7ef994df8
SHA1b9c0f77040e2ed3065329aa89f7420e68fef6194
SHA25642fbf11d75c5fa3895a269c62e0a23d8cc6856bef6a36c2dce81deac589b286a
SHA51210996b4f98af36456b9f41a488711854123b776d5b130f8db48d9589ea7e5cccde2d7f0eabaf00f7e201dbf52878dbc1c29242f9f35acb4e6f59b80862e83331
-
C:\Users\Admin\AppData\Local\Temp\Installer.exeFilesize
82KB
MD50759cd1397dbd963689019c7ef994df8
SHA1b9c0f77040e2ed3065329aa89f7420e68fef6194
SHA25642fbf11d75c5fa3895a269c62e0a23d8cc6856bef6a36c2dce81deac589b286a
SHA51210996b4f98af36456b9f41a488711854123b776d5b130f8db48d9589ea7e5cccde2d7f0eabaf00f7e201dbf52878dbc1c29242f9f35acb4e6f59b80862e83331
-
\Users\Admin\AppData\Local\Temp\Installer.exeFilesize
82KB
MD50759cd1397dbd963689019c7ef994df8
SHA1b9c0f77040e2ed3065329aa89f7420e68fef6194
SHA25642fbf11d75c5fa3895a269c62e0a23d8cc6856bef6a36c2dce81deac589b286a
SHA51210996b4f98af36456b9f41a488711854123b776d5b130f8db48d9589ea7e5cccde2d7f0eabaf00f7e201dbf52878dbc1c29242f9f35acb4e6f59b80862e83331
-
memory/213252-54-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/213252-56-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/213252-61-0x000000000041B4CE-mapping.dmp
-
memory/213252-62-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/213252-63-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/213252-64-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/213536-66-0x0000000000000000-mapping.dmp
-
memory/213536-70-0x0000000001240000-0x000000000125E000-memory.dmpFilesize
120KB