Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 14:54
Static task
static1
Behavioral task
behavioral1
Sample
Injector.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Injector.exe
Resource
win10v2004-20220812-en
General
-
Target
Injector.exe
-
Size
2.4MB
-
MD5
cb0145387a030a5752379a0e5d4c19ca
-
SHA1
b8c040fbc133fb39c8081d9aa20520876f0a72af
-
SHA256
aec0e1cfd256897d421f243f1b4cb482995ca2ef910f8b3d8113632f3e71e315
-
SHA512
ea064ac9dae9eb91408baac94acaa2215c6e34c151d49b814740216de8e8c5c9ceac1f47a486aadeb328c22ddb0ed8913997a2517475cb906ddbd7aeeddc2ae9
-
SSDEEP
24576:vMWtYESYcYklrbgwMWclhnYewyozyTSSOZo4ynYhLmVQLbSNdt0FdNeJFIl3RuQW:EgYPFyozyDnYhLmVQ2xIl32
Malware Config
Extracted
redline
193.106.191.160:8673
-
auth_value
ca4f0d882489c8ec9829dd7a4f352198
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/148592-56-0x00000000000B0000-0x00000000000D0000-memory.dmp family_redline behavioral1/memory/148592-61-0x00000000000CB50E-mapping.dmp family_redline behavioral1/memory/148592-63-0x00000000000B0000-0x00000000000D0000-memory.dmp family_redline behavioral1/memory/148592-62-0x00000000000B0000-0x00000000000D0000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Injector.exedescription pid process target process PID 864 set thread context of 148592 864 Injector.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AppLaunch.exepid process 148592 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 148592 AppLaunch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Injector.exedescription pid process target process PID 864 wrote to memory of 148592 864 Injector.exe AppLaunch.exe PID 864 wrote to memory of 148592 864 Injector.exe AppLaunch.exe PID 864 wrote to memory of 148592 864 Injector.exe AppLaunch.exe PID 864 wrote to memory of 148592 864 Injector.exe AppLaunch.exe PID 864 wrote to memory of 148592 864 Injector.exe AppLaunch.exe PID 864 wrote to memory of 148592 864 Injector.exe AppLaunch.exe PID 864 wrote to memory of 148592 864 Injector.exe AppLaunch.exe PID 864 wrote to memory of 148592 864 Injector.exe AppLaunch.exe PID 864 wrote to memory of 148592 864 Injector.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:148592
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/148592-54-0x00000000000B0000-0x00000000000D0000-memory.dmpFilesize
128KB
-
memory/148592-56-0x00000000000B0000-0x00000000000D0000-memory.dmpFilesize
128KB
-
memory/148592-61-0x00000000000CB50E-mapping.dmp
-
memory/148592-63-0x00000000000B0000-0x00000000000D0000-memory.dmpFilesize
128KB
-
memory/148592-62-0x00000000000B0000-0x00000000000D0000-memory.dmpFilesize
128KB
-
memory/148592-64-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB