Analysis
-
max time kernel
142s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2022 09:16
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
1.2MB
-
MD5
354a1aae1775a586196906887d49a3c5
-
SHA1
8cc03420ceeb8180a416ec52925766c12c35e35d
-
SHA256
1baf63a128c8adbb4598a456ddcb81b33042e06f9cdb99e51448643b6f88cc6d
-
SHA512
e6f0ab20c69bcf4b5ebb9ca9a9fcdb3a1ae1cbf82210b69b8cda5f45cf69ca50dfa0a7b7ee0225832b34c4599712c252ca720fce97beeacea4611ec0ef522f4c
-
SSDEEP
24576:IfyOJXizSiHYiYEtaGQ79Mbtd9QClaTsKjx9DmS:IfyO1CSdS+sKjuS
Malware Config
Extracted
redline
@forceddd_lzt
5.182.36.101:31305
-
auth_value
91ffc3d776bc56b5c410d1adf5648512
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/102168-133-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 2264 set thread context of 102168 2264 file.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 102168 AppLaunch.exe 102168 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 102168 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
file.exedescription pid process target process PID 2264 wrote to memory of 102168 2264 file.exe AppLaunch.exe PID 2264 wrote to memory of 102168 2264 file.exe AppLaunch.exe PID 2264 wrote to memory of 102168 2264 file.exe AppLaunch.exe PID 2264 wrote to memory of 102168 2264 file.exe AppLaunch.exe PID 2264 wrote to memory of 102168 2264 file.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/102168-132-0x0000000000000000-mapping.dmp
-
memory/102168-133-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/102168-138-0x0000000005E60000-0x0000000006478000-memory.dmpFilesize
6.1MB
-
memory/102168-139-0x0000000005950000-0x0000000005A5A000-memory.dmpFilesize
1.0MB
-
memory/102168-140-0x0000000005880000-0x0000000005892000-memory.dmpFilesize
72KB
-
memory/102168-141-0x00000000058E0000-0x000000000591C000-memory.dmpFilesize
240KB
-
memory/102168-142-0x0000000005C10000-0x0000000005CA2000-memory.dmpFilesize
584KB
-
memory/102168-143-0x0000000006A30000-0x0000000006FD4000-memory.dmpFilesize
5.6MB
-
memory/102168-144-0x0000000005DE0000-0x0000000005E46000-memory.dmpFilesize
408KB
-
memory/102168-145-0x0000000006FE0000-0x00000000071A2000-memory.dmpFilesize
1.8MB
-
memory/102168-146-0x00000000076E0000-0x0000000007C0C000-memory.dmpFilesize
5.2MB