Analysis
-
max time kernel
47s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-09-2022 04:11
Static task
static1
Behavioral task
behavioral1
Sample
Valorant Skin Changer.exe
Resource
win7-20220812-en
General
-
Target
Valorant Skin Changer.exe
-
Size
463KB
-
MD5
614fdab08259badfde733dcb31f7136b
-
SHA1
f8a4f0bbba13c8590a69b7d3afdb757d8a3349e6
-
SHA256
020b635a94c45367c89ec249a40ca829163c988c02ba308d111041245da801cb
-
SHA512
2ffd92175f43a63f7e13e22b08cc6ac4fb509667ad9c92c61f531faee4d4428ad7d461fb2071f81bfa1a197ba2ee0bf970eb9cb51cf2cb96c35e9f93620202d4
-
SSDEEP
6144:pzCQyNPBUwSu4Tuk7S67FBwmatf37y43VELKSv3s6WWXVibtLmlxXFAOMMsESjL+:wU9uAz3wmatfKXvnWWXctmXFJ0Xj0b
Malware Config
Extracted
redline
62.204.41.141:24758
-
auth_value
b34b8a919a71ed4027bc3f495b7f799e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/154356-136-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
YTStealer payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/154600-157-0x0000000000140000-0x0000000000F52000-memory.dmp family_ytstealer behavioral2/memory/154600-162-0x0000000000140000-0x0000000000F52000-memory.dmp family_ytstealer -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
start.exepid process 154600 start.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\start.exe upx C:\Users\Admin\AppData\Local\Temp\start.exe upx behavioral2/memory/154600-156-0x0000000000140000-0x0000000000F52000-memory.dmp upx behavioral2/memory/154600-157-0x0000000000140000-0x0000000000F52000-memory.dmp upx behavioral2/memory/154600-162-0x0000000000140000-0x0000000000F52000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Valorant Skin Changer.exedescription pid process target process PID 2364 set thread context of 154356 2364 Valorant Skin Changer.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
AppLaunch.exepowershell.exepid process 154356 AppLaunch.exe 4992 powershell.exe 4992 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AppLaunch.exepowershell.exedescription pid process Token: SeDebugPrivilege 154356 AppLaunch.exe Token: SeDebugPrivilege 4992 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Valorant Skin Changer.exeAppLaunch.exestart.exedescription pid process target process PID 2364 wrote to memory of 154356 2364 Valorant Skin Changer.exe AppLaunch.exe PID 2364 wrote to memory of 154356 2364 Valorant Skin Changer.exe AppLaunch.exe PID 2364 wrote to memory of 154356 2364 Valorant Skin Changer.exe AppLaunch.exe PID 2364 wrote to memory of 154356 2364 Valorant Skin Changer.exe AppLaunch.exe PID 2364 wrote to memory of 154356 2364 Valorant Skin Changer.exe AppLaunch.exe PID 154356 wrote to memory of 154600 154356 AppLaunch.exe start.exe PID 154356 wrote to memory of 154600 154356 AppLaunch.exe start.exe PID 154600 wrote to memory of 4992 154600 start.exe powershell.exe PID 154600 wrote to memory of 4992 154600 start.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Valorant Skin Changer.exe"C:\Users\Admin\AppData\Local\Temp\Valorant Skin Changer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\start.exe"C:\Users\Admin\AppData\Local\Temp\start.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\start.exeFilesize
4.0MB
MD547b29465bb5fcbbd899f1d98af193f06
SHA1ddd7c01b07939751f734c1e9b7aa17853447e02c
SHA256a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb
SHA512838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8
-
C:\Users\Admin\AppData\Local\Temp\start.exeFilesize
4.0MB
MD547b29465bb5fcbbd899f1d98af193f06
SHA1ddd7c01b07939751f734c1e9b7aa17853447e02c
SHA256a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb
SHA512838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8
-
memory/4992-161-0x00007FFCEFBB0000-0x00007FFCF0671000-memory.dmpFilesize
10.8MB
-
memory/4992-160-0x00007FFCEFBB0000-0x00007FFCF0671000-memory.dmpFilesize
10.8MB
-
memory/4992-159-0x00000216F6110000-0x00000216F6132000-memory.dmpFilesize
136KB
-
memory/4992-158-0x0000000000000000-mapping.dmp
-
memory/154356-151-0x0000000009060000-0x0000000009222000-memory.dmpFilesize
1.8MB
-
memory/154356-145-0x0000000008770000-0x0000000008D14000-memory.dmpFilesize
5.6MB
-
memory/154356-147-0x0000000008300000-0x0000000008376000-memory.dmpFilesize
472KB
-
memory/154356-148-0x00000000085A0000-0x00000000085BE000-memory.dmpFilesize
120KB
-
memory/154356-149-0x0000000008D20000-0x0000000008D86000-memory.dmpFilesize
408KB
-
memory/154356-150-0x00000000086F0000-0x0000000008740000-memory.dmpFilesize
320KB
-
memory/154356-135-0x0000000000000000-mapping.dmp
-
memory/154356-152-0x0000000009BE0000-0x000000000A10C000-memory.dmpFilesize
5.2MB
-
memory/154356-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/154356-146-0x0000000008260000-0x00000000082F2000-memory.dmpFilesize
584KB
-
memory/154356-144-0x0000000007640000-0x000000000767C000-memory.dmpFilesize
240KB
-
memory/154356-141-0x0000000005D80000-0x0000000006398000-memory.dmpFilesize
6.1MB
-
memory/154356-142-0x0000000005CB0000-0x0000000005CC2000-memory.dmpFilesize
72KB
-
memory/154356-143-0x0000000007710000-0x000000000781A000-memory.dmpFilesize
1.0MB
-
memory/154600-157-0x0000000000140000-0x0000000000F52000-memory.dmpFilesize
14.1MB
-
memory/154600-156-0x0000000000140000-0x0000000000F52000-memory.dmpFilesize
14.1MB
-
memory/154600-153-0x0000000000000000-mapping.dmp
-
memory/154600-162-0x0000000000140000-0x0000000000F52000-memory.dmpFilesize
14.1MB