Analysis
-
max time kernel
164s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 07:56
Static task
static1
Behavioral task
behavioral1
Sample
d11db9c62a8150cb6a0188780f503f80.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d11db9c62a8150cb6a0188780f503f80.exe
Resource
win10v2004-20220414-en
General
-
Target
d11db9c62a8150cb6a0188780f503f80.exe
-
Size
290KB
-
MD5
d11db9c62a8150cb6a0188780f503f80
-
SHA1
bfd83c761dfd1f04cce0d25ba115c7ac698d04a2
-
SHA256
fc456589093a8fa62517604f46722a2696ff4104b4828f55b40e26985fdca24d
-
SHA512
2027dea5192396a0a319772f2b4abc7a468366e91eb92241b2940f005d10f67786cc5c28aa7c64975f30c30c8380e0ed98ca847c77537ef31916fa639b3adee9
Malware Config
Extracted
redline
76
139.99.32.83:43199
-
auth_value
44d461325298129ed3c705440f57962c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2208-131-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d11db9c62a8150cb6a0188780f503f80.exedescription pid process target process PID 1200 set thread context of 2208 1200 d11db9c62a8150cb6a0188780f503f80.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2924 1200 WerFault.exe d11db9c62a8150cb6a0188780f503f80.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
d11db9c62a8150cb6a0188780f503f80.exedescription pid process target process PID 1200 wrote to memory of 2208 1200 d11db9c62a8150cb6a0188780f503f80.exe AppLaunch.exe PID 1200 wrote to memory of 2208 1200 d11db9c62a8150cb6a0188780f503f80.exe AppLaunch.exe PID 1200 wrote to memory of 2208 1200 d11db9c62a8150cb6a0188780f503f80.exe AppLaunch.exe PID 1200 wrote to memory of 2208 1200 d11db9c62a8150cb6a0188780f503f80.exe AppLaunch.exe PID 1200 wrote to memory of 2208 1200 d11db9c62a8150cb6a0188780f503f80.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d11db9c62a8150cb6a0188780f503f80.exe"C:\Users\Admin\AppData\Local\Temp\d11db9c62a8150cb6a0188780f503f80.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 2762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1200 -ip 12001⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2208-130-0x0000000000000000-mapping.dmp
-
memory/2208-131-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2208-136-0x0000000005EA0000-0x00000000064B8000-memory.dmpFilesize
6.1MB
-
memory/2208-137-0x0000000005940000-0x0000000005952000-memory.dmpFilesize
72KB
-
memory/2208-138-0x0000000005A70000-0x0000000005B7A000-memory.dmpFilesize
1.0MB
-
memory/2208-139-0x00000000059A0000-0x00000000059DC000-memory.dmpFilesize
240KB