Analysis
-
max time kernel
91s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-10-2022 14:22
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
2.8MB
-
MD5
f18b7a13b93290e002440df85c878d8b
-
SHA1
739bbfc982510dccd2ac96bf47e462e5172c015e
-
SHA256
c144d8f95f85a7a2467ebf1594045ec5340ab0251b409503525ed3947e382a0d
-
SHA512
6caaeedf702951af6e753912a0e4ab7199d3686c2cdb94d8f7dc0a1aaa6177e37da3d2d7e0cfe2d1aaa5c3fb456655b99bb0f7929dcb4b9db3a4ad52d3a1b207
-
SSDEEP
24576:XabYMUEBRRPAa+YNYjVSDRfNMm3dnz3t1MCaRhj6rolTXuXutiKqs+DL9kLkkQlh:XqYMUEB3PA8f8CEwroYetiKqs+Dmgl3R
Malware Config
Extracted
redline
000
13.72.81.58:13413
-
auth_value
38039bd2797907beafc7799127f1af5b
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/100660-133-0x0000000000750000-0x00000000007B0000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4556 set thread context of 100660 4556 file.exe 83 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 100660 AppLaunch.exe 100660 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 100660 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4556 wrote to memory of 100660 4556 file.exe 83 PID 4556 wrote to memory of 100660 4556 file.exe 83 PID 4556 wrote to memory of 100660 4556 file.exe 83 PID 4556 wrote to memory of 100660 4556 file.exe 83 PID 4556 wrote to memory of 100660 4556 file.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:100660
-