Analysis
-
max time kernel
138s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
-
submitted
17-07-2022 02:07
General
-
Target
52b848abe5f067ac4822925b859d8f58cd416a3ec8dd6457aaafae794632ba1c.exe
-
Size
1.4MB
-
MD5
b630bd574756df49465fe6d7fb41e7d3
-
SHA1
628dd252c4a5e611093e722166e65c1d9ca55a80
-
SHA256
52b848abe5f067ac4822925b859d8f58cd416a3ec8dd6457aaafae794632ba1c
-
SHA512
e1b10edc631ff4650bc6a930e8ac30e9c02197997a22ce84e905d3c1a77e0bdb18afa78236a6e5840bf23cd1723920dd1aad96abea2a3afdf6aca2a82d10524d
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
@JABKA9983
C2
92.255.85.137:41320
Attributes
-
auth_value
507a0c408947972b94cf44475f601269
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\52b848abe5f067ac4822925b859d8f58cd416a3ec8dd6457aaafae794632ba1c.exe"C:\Users\Admin\AppData\Local\Temp\52b848abe5f067ac4822925b859d8f58cd416a3ec8dd6457aaafae794632ba1c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1820-143-0x0000000005740000-0x0000000005D58000-memory.dmpFilesize
6.1MB
-
memory/1820-136-0x0000000000000000-mapping.dmp
-
memory/1820-137-0x00000000001A0000-0x00000000001C0000-memory.dmpFilesize
128KB
-
memory/1820-144-0x0000000006FC0000-0x0000000006FD2000-memory.dmpFilesize
72KB
-
memory/1820-145-0x0000000007130000-0x000000000723A000-memory.dmpFilesize
1.0MB
-
memory/1820-146-0x0000000007060000-0x000000000709C000-memory.dmpFilesize
240KB
-
memory/4356-131-0x0000000000400000-0x00000000007B0000-memory.dmpFilesize
3.7MB
-
memory/4356-132-0x0000000000400000-0x00000000007B0000-memory.dmpFilesize
3.7MB
-
memory/4356-133-0x0000000002570000-0x00000000025D0000-memory.dmpFilesize
384KB
-
memory/4356-134-0x0000000000400000-0x00000000007B0000-memory.dmpFilesize
3.7MB
-
memory/4356-135-0x0000000000400000-0x00000000007B0000-memory.dmpFilesize
3.7MB
-
memory/4356-142-0x0000000000400000-0x00000000007B0000-memory.dmpFilesize
3.7MB
-
memory/4356-130-0x0000000000400000-0x00000000007B0000-memory.dmpFilesize
3.7MB