Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2022 14:04
Static task
static1
Behavioral task
behavioral1
Sample
mal.exe
Resource
win7-20220812-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
mal.exe
Resource
win10v2004-20220812-en
5 signatures
150 seconds
General
-
Target
mal.exe
-
Size
1.5MB
-
MD5
84d23b22008035354bbabc93aa8d5da7
-
SHA1
eb776a76b6691a6151b3a4cfcbd5ae6ac5bcf8f6
-
SHA256
502c32dd4ce9820711f0840c33e7de4c69617802160870e2a4f02690ae28029c
-
SHA512
1f24991660fffff3ffd42d039a4598625bdc9b0c1e331d8c6145095c207dd4639af5144b275c60a811091edc86433e261d4bd8b56feec229dfb6cce70c9df67d
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
X
C2
45.76.223.107:25950
Attributes
-
auth_value
249e1ece2f90b39d9c5563282076f21f
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1032-138-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mal.exedescription pid process target process PID 1036 set thread context of 1032 1036 mal.exe InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
mal.exepid process 1036 mal.exe 1036 mal.exe 1036 mal.exe 1036 mal.exe 1036 mal.exe 1036 mal.exe 1036 mal.exe 1036 mal.exe 1036 mal.exe 1036 mal.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
mal.exedescription pid process target process PID 1036 wrote to memory of 1032 1036 mal.exe InstallUtil.exe PID 1036 wrote to memory of 1032 1036 mal.exe InstallUtil.exe PID 1036 wrote to memory of 1032 1036 mal.exe InstallUtil.exe PID 1036 wrote to memory of 1032 1036 mal.exe InstallUtil.exe PID 1036 wrote to memory of 1032 1036 mal.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mal.exe"C:\Users\Admin\AppData\Local\Temp\mal.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1032-135-0x0000000000000000-mapping.dmp
-
memory/1032-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1032-138-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1032-140-0x0000000005B80000-0x0000000006198000-memory.dmpFilesize
6.1MB
-
memory/1032-141-0x0000000005620000-0x0000000005632000-memory.dmpFilesize
72KB
-
memory/1032-142-0x0000000005750000-0x000000000585A000-memory.dmpFilesize
1.0MB
-
memory/1032-143-0x0000000005680000-0x00000000056BC000-memory.dmpFilesize
240KB
-
memory/1036-132-0x00000000024AB000-0x0000000002B40000-memory.dmpFilesize
6.6MB
-
memory/1036-133-0x00000000022EF000-0x000000000243C000-memory.dmpFilesize
1.3MB
-
memory/1036-134-0x0000000010F90000-0x00000000110AA000-memory.dmpFilesize
1.1MB
-
memory/1036-139-0x00000000022EF000-0x000000000243C000-memory.dmpFilesize
1.3MB