Analysis
-
max time kernel
291s -
max time network
299s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01/11/2022, 10:43
Static task
static1
Behavioral task
behavioral1
Sample
aac40675dc0a0bfbabd6bd56acaff56ab6f47b1f55ec9c4a7c4b16cfa213df2b.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
aac40675dc0a0bfbabd6bd56acaff56ab6f47b1f55ec9c4a7c4b16cfa213df2b.exe
Resource
win10-20220812-en
General
-
Target
aac40675dc0a0bfbabd6bd56acaff56ab6f47b1f55ec9c4a7c4b16cfa213df2b.exe
-
Size
2.4MB
-
MD5
6193449d69b97567869f8caa7fbf2a02
-
SHA1
3753b5613587073110a056eb79828bdb33a06cd2
-
SHA256
aac40675dc0a0bfbabd6bd56acaff56ab6f47b1f55ec9c4a7c4b16cfa213df2b
-
SHA512
3caf4ce3c642bb994e1a1318c1a013147e100ef67682bfdf5533e751e0c5254ea0f77602fa12901326082e782789608766d574952e13f1e482097c6a727e93c0
-
SSDEEP
24576:/DzdO2YwY5zWSqoMvWo6erJJu163vMr6N9TMnwE7RPLPN2AMhH7gl3RuQ55313/://dEStvMr89TMnwE7RPugl3B
Malware Config
Extracted
redline
123123nn
62.204.41.31:33944
-
auth_value
534f6127cc1d3e70606c17c1a8acf137
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/148576-56-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/148576-61-0x000000000041ADB6-mapping.dmp family_redline behavioral1/memory/148576-62-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/148576-63-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1492-64-0x0000000000400000-0x0000000000560000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1492 set thread context of 148576 1492 aac40675dc0a0bfbabd6bd56acaff56ab6f47b1f55ec9c4a7c4b16cfa213df2b.exe 28 -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1492 wrote to memory of 148576 1492 aac40675dc0a0bfbabd6bd56acaff56ab6f47b1f55ec9c4a7c4b16cfa213df2b.exe 28 PID 1492 wrote to memory of 148576 1492 aac40675dc0a0bfbabd6bd56acaff56ab6f47b1f55ec9c4a7c4b16cfa213df2b.exe 28 PID 1492 wrote to memory of 148576 1492 aac40675dc0a0bfbabd6bd56acaff56ab6f47b1f55ec9c4a7c4b16cfa213df2b.exe 28 PID 1492 wrote to memory of 148576 1492 aac40675dc0a0bfbabd6bd56acaff56ab6f47b1f55ec9c4a7c4b16cfa213df2b.exe 28 PID 1492 wrote to memory of 148576 1492 aac40675dc0a0bfbabd6bd56acaff56ab6f47b1f55ec9c4a7c4b16cfa213df2b.exe 28 PID 1492 wrote to memory of 148576 1492 aac40675dc0a0bfbabd6bd56acaff56ab6f47b1f55ec9c4a7c4b16cfa213df2b.exe 28 PID 1492 wrote to memory of 148576 1492 aac40675dc0a0bfbabd6bd56acaff56ab6f47b1f55ec9c4a7c4b16cfa213df2b.exe 28 PID 1492 wrote to memory of 148576 1492 aac40675dc0a0bfbabd6bd56acaff56ab6f47b1f55ec9c4a7c4b16cfa213df2b.exe 28 PID 1492 wrote to memory of 148576 1492 aac40675dc0a0bfbabd6bd56acaff56ab6f47b1f55ec9c4a7c4b16cfa213df2b.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\aac40675dc0a0bfbabd6bd56acaff56ab6f47b1f55ec9c4a7c4b16cfa213df2b.exe"C:\Users\Admin\AppData\Local\Temp\aac40675dc0a0bfbabd6bd56acaff56ab6f47b1f55ec9c4a7c4b16cfa213df2b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:148576
-