Overview
overview
10Static
static
Sоnic FrÐ...fo.xml
windows7-x64
1Sоnic FrÐ...fo.xml
windows10-2004-x64
1Sоnic FrÐ...ts.xml
windows7-x64
1Sоnic FrÐ...ts.xml
windows10-2004-x64
1Sоnic FrÐ...te.xml
windows7-x64
1Sоnic FrÐ...te.xml
windows10-2004-x64
Sоnic FrÐ...fo.xml
windows7-x64
1Sоnic FrÐ...fo.xml
windows10-2004-x64
Sоnic FrÐ...ks.xml
windows7-x64
1Sоnic FrÐ...ks.xml
windows10-2004-x64
Sоnic FrÐ...fo.xml
windows7-x64
1Sоnic FrÐ...fo.xml
windows10-2004-x64
1Sоnic FrÐ...fo.xml
windows7-x64
1Sоnic FrÐ...fo.xml
windows10-2004-x64
1Sоnic FrÐ...Ñ€.exe
windows7-x64
10Sоnic FrÐ...Ñ€.exe
windows10-2004-x64
10Analysis
-
max time kernel
64s -
max time network
92s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 03:23
Static task
static1
Behavioral task
behavioral1
Sample
Sоnic Frоntiеrs Sеtuр/CoreFoundation.resources/Info.xml
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Sоnic Frоntiеrs Sеtuр/CoreFoundation.resources/Info.xml
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Sоnic Frоntiеrs Sеtuр/CoreMedia.resources/AVAssetExportPresets.xml
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
Sоnic Frоntiеrs Sеtuр/CoreMedia.resources/AVAssetExportPresets.xml
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
Sоnic Frоntiеrs Sеtuр/CoreMedia.resources/AVExportBitRate.xml
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
Sоnic Frоntiеrs Sеtuр/CoreMedia.resources/AVExportBitRate.xml
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
Sоnic Frоntiеrs Sеtuр/CoreMedia.resources/Info.xml
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
Sоnic Frоntiеrs Sеtuр/CoreMedia.resources/Info.xml
Resource
win10v2004-20221111-en
Behavioral task
behavioral9
Sample
Sоnic Frоntiеrs Sеtuр/CoreText.resources/DefaultFontFallbacks.xml
Resource
win7-20220901-en
Behavioral task
behavioral10
Sample
Sоnic Frоntiеrs Sеtuр/CoreText.resources/DefaultFontFallbacks.xml
Resource
win10v2004-20221111-en
Behavioral task
behavioral11
Sample
Sоnic Frоntiеrs Sеtuр/CoreText.resources/Info.xml
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
Sоnic Frоntiеrs Sеtuр/CoreText.resources/Info.xml
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
Sоnic Frоntiеrs Sеtuр/Foundation.resources/Info.xml
Resource
win7-20220901-en
Behavioral task
behavioral14
Sample
Sоnic Frоntiеrs Sеtuр/Foundation.resources/Info.xml
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
Sоnic Frоntiеrs Sеtuр/Sоnic Frоntiеrs Sеtuр.exe
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
Sоnic Frоntiеrs Sеtuр/Sоnic Frоntiеrs Sеtuр.exe
Resource
win10v2004-20220812-en
General
-
Target
Sоnic Frоntiеrs Sеtuр/Sоnic Frоntiеrs Sеtuр.exe
-
Size
763.6MB
-
MD5
1c3cf682c253a5a931a7de2e4be5e67e
-
SHA1
73ac7ba407fc95d0b7121eb0e9499dfbdf3ccdbc
-
SHA256
0ac69838b494dae7b4f64531ad20068d3b66b193858bbf1b4bfcb4e19417714a
-
SHA512
9ed28350ade2b5f07e8efb561563223115527e37c8e656e824fe800bbd99fe4395bc2e76e6441341fe11b8480aed9c72501a1e6bec0cd62b027a73d254816c98
-
SSDEEP
98304:lrl9Mjm6TJse6CiowYIHYLBlrqTaXEV/61IujIAnNu/ppEPlYMr:Nl9Km6TJH6TYI8BlrOki/d7AnmgPlB
Malware Config
Extracted
redline
@cham1ng
193.106.191.160:8673
-
auth_value
296c18e34d670ae41d67c9e09e2546b7
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral15/memory/95972-60-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral15/memory/95972-65-0x0000000000422196-mapping.dmp family_redline behavioral15/memory/95972-66-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral15/memory/95972-67-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral15/memory/952-70-0x0000000000400000-0x0000000000D19000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Sоnic Frоntiеrs Sеtuр.exedescription pid process target process PID 952 set thread context of 95972 952 Sоnic Frоntiеrs Sеtuр.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 96012 952 WerFault.exe Sоnic Frоntiеrs Sеtuр.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Sоnic Frоntiеrs Sеtuр.exeAppLaunch.exepid process 952 Sоnic Frоntiеrs Sеtuр.exe 95972 AppLaunch.exe 95972 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 95972 AppLaunch.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Sоnic Frоntiеrs Sеtuр.exedescription pid process target process PID 952 wrote to memory of 95972 952 Sоnic Frоntiеrs Sеtuр.exe AppLaunch.exe PID 952 wrote to memory of 95972 952 Sоnic Frоntiеrs Sеtuр.exe AppLaunch.exe PID 952 wrote to memory of 95972 952 Sоnic Frоntiеrs Sеtuр.exe AppLaunch.exe PID 952 wrote to memory of 95972 952 Sоnic Frоntiеrs Sеtuр.exe AppLaunch.exe PID 952 wrote to memory of 95972 952 Sоnic Frоntiеrs Sеtuр.exe AppLaunch.exe PID 952 wrote to memory of 95972 952 Sоnic Frоntiеrs Sеtuр.exe AppLaunch.exe PID 952 wrote to memory of 95972 952 Sоnic Frоntiеrs Sеtuр.exe AppLaunch.exe PID 952 wrote to memory of 95972 952 Sоnic Frоntiеrs Sеtuр.exe AppLaunch.exe PID 952 wrote to memory of 95972 952 Sоnic Frоntiеrs Sеtuр.exe AppLaunch.exe PID 952 wrote to memory of 96012 952 Sоnic Frоntiеrs Sеtuр.exe WerFault.exe PID 952 wrote to memory of 96012 952 Sоnic Frоntiеrs Sеtuр.exe WerFault.exe PID 952 wrote to memory of 96012 952 Sоnic Frоntiеrs Sеtuр.exe WerFault.exe PID 952 wrote to memory of 96012 952 Sоnic Frоntiеrs Sеtuр.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sоnic Frоntiеrs SеtuÑ€\Sоnic Frоntiеrs SеtuÑ€.exe"C:\Users\Admin\AppData\Local\Temp\Sоnic Frоntiеrs SеtuÑ€\Sоnic Frоntiеrs SеtuÑ€.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 946522⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/952-54-0x0000000000400000-0x0000000000D19000-memory.dmpFilesize
9.1MB
-
memory/952-57-0x0000000000400000-0x0000000000D19000-memory.dmpFilesize
9.1MB
-
memory/952-70-0x0000000000400000-0x0000000000D19000-memory.dmpFilesize
9.1MB
-
memory/95972-58-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/95972-60-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/95972-65-0x0000000000422196-mapping.dmp
-
memory/95972-66-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/95972-67-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/95972-69-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/96012-68-0x0000000000000000-mapping.dmp