Analysis
-
max time kernel
228s -
max time network
493s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2022 13:32
Behavioral task
behavioral1
Sample
About/About.pdf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
About/About.pdf
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
About/About.pdf
Resource
win10v2004-20220901-en
Behavioral task
behavioral4
Sample
MetaLauncher.exe
Resource
win7-20220812-en
Behavioral task
behavioral5
Sample
MetaLauncher.exe
Resource
win10-20220812-en
Behavioral task
behavioral6
Sample
MetaLauncher.exe
Resource
win10v2004-20220901-en
General
-
Target
MetaLauncher.exe
-
Size
700.5MB
-
MD5
600237ec7d74cb6b528867f26ae33977
-
SHA1
37908809d150700feb0f8eee0ed9c8274c6d35ed
-
SHA256
588b0421021a7380c20b270c5262d6fc99294e186e9bebb78aaa255486fe449a
-
SHA512
3967de420952bba8f3b390be6f7de0420ea31d3411b4922eee5b74e961bc4ac72c5b79aeab4f1c89bb09d6b84a80e5be4db655d04045114bfbf5ecb7a0d4e635
-
SSDEEP
12288:dwSfhUzOJgt7O3iu2qh/pyVCfY9JvaS1p5eB7A:/hUzKgQ3zjS5dDeBM
Malware Config
Extracted
redline
cryptex
185.106.93.212:5616
-
auth_value
37d14024d256c3c1402d889a89376087
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
MetaLauncher.exedescription pid process target process PID 444 set thread context of 3684 444 MetaLauncher.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 3684 vbc.exe 3684 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 3684 vbc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
MetaLauncher.exedescription pid process target process PID 444 wrote to memory of 3684 444 MetaLauncher.exe vbc.exe PID 444 wrote to memory of 3684 444 MetaLauncher.exe vbc.exe PID 444 wrote to memory of 3684 444 MetaLauncher.exe vbc.exe PID 444 wrote to memory of 3684 444 MetaLauncher.exe vbc.exe PID 444 wrote to memory of 3684 444 MetaLauncher.exe vbc.exe PID 444 wrote to memory of 3684 444 MetaLauncher.exe vbc.exe PID 444 wrote to memory of 3684 444 MetaLauncher.exe vbc.exe PID 444 wrote to memory of 3684 444 MetaLauncher.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MetaLauncher.exe"C:\Users\Admin\AppData\Local\Temp\MetaLauncher.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/444-132-0x0000000000F80000-0x0000000001002000-memory.dmpFilesize
520KB
-
memory/3684-133-0x0000000000000000-mapping.dmp
-
memory/3684-134-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3684-135-0x0000000005780000-0x0000000005D98000-memory.dmpFilesize
6.1MB
-
memory/3684-136-0x00000000051D0000-0x00000000051E2000-memory.dmpFilesize
72KB
-
memory/3684-137-0x0000000005300000-0x000000000540A000-memory.dmpFilesize
1.0MB
-
memory/3684-138-0x0000000005230000-0x000000000526C000-memory.dmpFilesize
240KB
-
memory/3684-139-0x0000000006350000-0x00000000068F4000-memory.dmpFilesize
5.6MB
-
memory/3684-140-0x00000000055B0000-0x0000000005642000-memory.dmpFilesize
584KB
-
memory/3684-141-0x0000000005650000-0x00000000056B6000-memory.dmpFilesize
408KB
-
memory/3684-142-0x0000000006BD0000-0x0000000006D92000-memory.dmpFilesize
1.8MB
-
memory/3684-143-0x00000000072D0000-0x00000000077FC000-memory.dmpFilesize
5.2MB
-
memory/3684-144-0x0000000006A00000-0x0000000006A50000-memory.dmpFilesize
320KB
-
memory/3684-145-0x0000000006AD0000-0x0000000006B46000-memory.dmpFilesize
472KB
-
memory/3684-146-0x0000000006B80000-0x0000000006B9E000-memory.dmpFilesize
120KB