Analysis
-
max time kernel
286s -
max time network
345s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 08:56
Behavioral task
behavioral1
Sample
6ca29843451682718a8cc03462bbd544.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
6ca29843451682718a8cc03462bbd544.exe
Resource
win10v2004-20221111-en
General
-
Target
6ca29843451682718a8cc03462bbd544.exe
-
Size
234KB
-
MD5
6ca29843451682718a8cc03462bbd544
-
SHA1
171b9c59f22abfc36827dfd635727db965bcb80b
-
SHA256
e77cc2db76d740d0e6cb865deb50ac9511f614a96c7f8636c2b68ab3ecdb4f98
-
SHA512
ae179e42115f0acc1c6430b80c8f9291c8902c790a6e71e3686f065826b48e39d9e9fc5911ad84106922decb3175770e0b5a786d79e9a22c82889060bf00c3a7
-
SSDEEP
3072:p16Glo1kYieIFQzANlIuDo5vtmcx5PXrbG1YmK4giOxTYz2nD5C5poKQRRd8/vXn:TlxNxGvt//PXrbpmtSTYkt9ovPoqgM
Malware Config
Extracted
redline
1
95.217.102.105:33508
-
auth_value
d1ba4561de5eb84044e2061ff7d1423c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2284-137-0x00000000003C0000-0x0000000000425000-memory.dmp family_redline behavioral2/memory/98036-139-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6ca29843451682718a8cc03462bbd544.exedescription pid process target process PID 2284 set thread context of 98036 2284 6ca29843451682718a8cc03462bbd544.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3100 2284 WerFault.exe 6ca29843451682718a8cc03462bbd544.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6ca29843451682718a8cc03462bbd544.exedescription pid process target process PID 2284 wrote to memory of 98036 2284 6ca29843451682718a8cc03462bbd544.exe AppLaunch.exe PID 2284 wrote to memory of 98036 2284 6ca29843451682718a8cc03462bbd544.exe AppLaunch.exe PID 2284 wrote to memory of 98036 2284 6ca29843451682718a8cc03462bbd544.exe AppLaunch.exe PID 2284 wrote to memory of 98036 2284 6ca29843451682718a8cc03462bbd544.exe AppLaunch.exe PID 2284 wrote to memory of 98036 2284 6ca29843451682718a8cc03462bbd544.exe AppLaunch.exe PID 2284 wrote to memory of 3100 2284 6ca29843451682718a8cc03462bbd544.exe WerFault.exe PID 2284 wrote to memory of 3100 2284 6ca29843451682718a8cc03462bbd544.exe WerFault.exe PID 2284 wrote to memory of 3100 2284 6ca29843451682718a8cc03462bbd544.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ca29843451682718a8cc03462bbd544.exe"C:\Users\Admin\AppData\Local\Temp\6ca29843451682718a8cc03462bbd544.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 947402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2284 -ip 22841⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2284-133-0x00000000003C0000-0x0000000000425000-memory.dmpFilesize
404KB
-
memory/2284-134-0x00000000003C0000-0x0000000000425000-memory.dmpFilesize
404KB
-
memory/2284-135-0x00000000003C0000-0x0000000000425000-memory.dmpFilesize
404KB
-
memory/2284-136-0x00000000003C0000-0x0000000000425000-memory.dmpFilesize
404KB
-
memory/2284-137-0x00000000003C0000-0x0000000000425000-memory.dmpFilesize
404KB
-
memory/3100-144-0x0000000000000000-mapping.dmp
-
memory/98036-138-0x0000000000000000-mapping.dmp
-
memory/98036-139-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB