Overview

overview

10

Static

static

Galaxy_Swa....3.exe

windows7-x64

10

Galaxy_Swa....3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2022 11:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Galaxy_Swapper_v.3.exe

  • Size

    2.6MB

  • MD5

    2741f67ebd1f6b98e794ebb2f372c4e6

  • SHA1

    90c7c15a4b37bfd94e12cb612bdc5164b910c65e

  • SHA256

    36b54ba7b3185ac6559bd6b7cf4f1711fe0105da13dcb9bc81f503fab8673ead

  • SHA512

    c92644b8224cd80ad31680bdfafae4784f73d85a4d2e5e50ffc3ff6bb955f93c34f9f64f78eaa3cf2cae3efa349be8befbf19e10c5df792ff4a6b98df00c22ab

  • SSDEEP

    24576:LojL+cYYPiRNZAblYCYRhIvwadMZldbqZ/2kIiD0gdZ/gDY7LaUzJCl3RuQ5531v:LyvYYaNARvObmZ/gDY72Uz4l3R

Score
10/10
redlineinfostealerspyware

Malware Config

Extracted

Family

redline

C2

79.137.192.9:19788

Attributes
  • auth_value

    03db5fb2245883006ce807f585601e8a

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Galaxy_Swapper_v.3.exe
    "C:\Users\Admin\AppData\Local\Temp\Galaxy_Swapper_v.3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5028
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:101828

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/101828-133-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/101828-138-0x00000000053C0000-0x00000000059D8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/101828-139-0x0000000004DF0000-0x0000000004E02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/101828-140-0x0000000004F20000-0x000000000502A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/101828-141-0x0000000004E50000-0x0000000004E8C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/101828-142-0x00000000051E0000-0x0000000005246000-memory.dmp

    Filesize

    408KB

    Download

  • memory/101828-143-0x0000000005D80000-0x0000000005E12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/101828-144-0x00000000063D0000-0x0000000006974000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/101828-145-0x0000000006000000-0x0000000006050000-memory.dmp

    Filesize

    320KB

    Download

  • memory/101828-146-0x0000000006050000-0x00000000060C6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/101828-147-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/101828-148-0x0000000007270000-0x0000000007432000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/101828-149-0x0000000007970000-0x0000000007E9C000-memory.dmp

    Filesize

    5.2MB

    Download