Analysis
-
max time kernel
48s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
17-09-2022 04:36
Static task
static1
Behavioral task
behavioral1
Sample
0b631c4fb431d496b31c1381376f7e70.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0b631c4fb431d496b31c1381376f7e70.exe
Resource
win10v2004-20220812-en
General
-
Target
0b631c4fb431d496b31c1381376f7e70.exe
-
Size
1.3MB
-
MD5
0b631c4fb431d496b31c1381376f7e70
-
SHA1
48f24368aefd0f53a418627a2e36a05fcd391ac5
-
SHA256
b3f2f31bff8ef9370d05c3b1f0ac28acd50870e35f20c96e8336585d8a3a97a4
-
SHA512
6f7aa06358f836777dd8fa886a51145a0b46fac485423a3b4e0a8f7d7e54c75710296ef288f31f3271f00349fa1d34787a7b536f2488d46f79dbbf4a36050a41
-
SSDEEP
24576:imHhScn10aEUYTYmhYvrYIMLFdC8uuIRsFIT3LS:imBScn10a3FdRsFIT3L
Malware Config
Extracted
redline
5
5.61.49.60:1446
-
auth_value
9efbb486a7fa97e03174517a775da52c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/98320-56-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/98320-61-0x0000000000422106-mapping.dmp family_redline behavioral1/memory/98320-62-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/98320-63-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
0b631c4fb431d496b31c1381376f7e70.exedescription pid process target process PID 1720 set thread context of 98320 1720 0b631c4fb431d496b31c1381376f7e70.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 98320 AppLaunch.exe 98320 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 98320 AppLaunch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0b631c4fb431d496b31c1381376f7e70.exedescription pid process target process PID 1720 wrote to memory of 98320 1720 0b631c4fb431d496b31c1381376f7e70.exe AppLaunch.exe PID 1720 wrote to memory of 98320 1720 0b631c4fb431d496b31c1381376f7e70.exe AppLaunch.exe PID 1720 wrote to memory of 98320 1720 0b631c4fb431d496b31c1381376f7e70.exe AppLaunch.exe PID 1720 wrote to memory of 98320 1720 0b631c4fb431d496b31c1381376f7e70.exe AppLaunch.exe PID 1720 wrote to memory of 98320 1720 0b631c4fb431d496b31c1381376f7e70.exe AppLaunch.exe PID 1720 wrote to memory of 98320 1720 0b631c4fb431d496b31c1381376f7e70.exe AppLaunch.exe PID 1720 wrote to memory of 98320 1720 0b631c4fb431d496b31c1381376f7e70.exe AppLaunch.exe PID 1720 wrote to memory of 98320 1720 0b631c4fb431d496b31c1381376f7e70.exe AppLaunch.exe PID 1720 wrote to memory of 98320 1720 0b631c4fb431d496b31c1381376f7e70.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b631c4fb431d496b31c1381376f7e70.exe"C:\Users\Admin\AppData\Local\Temp\0b631c4fb431d496b31c1381376f7e70.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/98320-54-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/98320-56-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/98320-61-0x0000000000422106-mapping.dmp
-
memory/98320-62-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/98320-63-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/98320-64-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB