Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-09-2022 10:50
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220812-en
General
-
Target
tmp.exe
-
Size
1.2MB
-
MD5
455400def1f221f6947098b7f8b744b2
-
SHA1
e0a33de435792d33be25ee3a667b29b780dfac5e
-
SHA256
cc265c5d066b1eb28af641a7676061e145955fbee0e410dc5fdfb8bdb9676695
-
SHA512
6960f5831259c23a3c56b85cbced1512e7063ca313baddb8423ec43a11f9bfc34aeee6e6f57396ca18b84e07c2c21b483c820bc79f0505fd6cd88dd7662f9e3c
-
SSDEEP
24576:unEweSxfwe0eTyaXXVz55jd2UbWCAxE/:u8cewf5gU6CA
Malware Config
Extracted
redline
76
139.99.32.83:43199
-
auth_value
44d461325298129ed3c705440f57962c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/34876-56-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/34876-61-0x000000000041AD5A-mapping.dmp family_redline behavioral1/memory/34876-62-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/34876-63-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 1952 set thread context of 34876 1952 tmp.exe AppLaunch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
tmp.exedescription pid process target process PID 1952 wrote to memory of 34876 1952 tmp.exe AppLaunch.exe PID 1952 wrote to memory of 34876 1952 tmp.exe AppLaunch.exe PID 1952 wrote to memory of 34876 1952 tmp.exe AppLaunch.exe PID 1952 wrote to memory of 34876 1952 tmp.exe AppLaunch.exe PID 1952 wrote to memory of 34876 1952 tmp.exe AppLaunch.exe PID 1952 wrote to memory of 34876 1952 tmp.exe AppLaunch.exe PID 1952 wrote to memory of 34876 1952 tmp.exe AppLaunch.exe PID 1952 wrote to memory of 34876 1952 tmp.exe AppLaunch.exe PID 1952 wrote to memory of 34876 1952 tmp.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/34876-54-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/34876-56-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/34876-61-0x000000000041AD5A-mapping.dmp
-
memory/34876-62-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/34876-63-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/34876-64-0x0000000076051000-0x0000000076053000-memory.dmpFilesize
8KB