Analysis
-
max time kernel
185s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 17:19
Static task
static1
Behavioral task
behavioral1
Sample
Battle Seekers Launcher (Beta).exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Battle Seekers Launcher (Beta).exe
Resource
win10v2004-20221111-en
General
-
Target
Battle Seekers Launcher (Beta).exe
-
Size
4.1MB
-
MD5
4881b2c1686d3fbb733ce0491f679a9c
-
SHA1
e4b5dca72da311237653818289518e5925344f09
-
SHA256
1c624915c8c7c82d436f0c5480fb8850d8fbb4c195e56d78d9ba438aa2f2305e
-
SHA512
707cf68396c00832ba2ae6249d90a392fb8b2e0fda1eab67520e8bb9baff76b4c6e9415259b5c1f454bdd907e1ab1b3fc9ebfe0d3ede1ad39acec24a3179563b
-
SSDEEP
98304:36a6T13ABtnyEZMkEPVcQFU1ko0zPrltOC4tihb:L6T13AHnyMMV9cskkBPb4tih
Malware Config
Extracted
redline
xmas
79.137.199.206:45354
-
auth_value
47dd71225cb3a0a92188486269819009
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Battle Seekers Launcher (Beta).exedescription pid process target process PID 4228 set thread context of 4684 4228 Battle Seekers Launcher (Beta).exe AddInProcess32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Battle Seekers Launcher (Beta).exedescription pid process target process PID 4228 wrote to memory of 4684 4228 Battle Seekers Launcher (Beta).exe AddInProcess32.exe PID 4228 wrote to memory of 4684 4228 Battle Seekers Launcher (Beta).exe AddInProcess32.exe PID 4228 wrote to memory of 4684 4228 Battle Seekers Launcher (Beta).exe AddInProcess32.exe PID 4228 wrote to memory of 4684 4228 Battle Seekers Launcher (Beta).exe AddInProcess32.exe PID 4228 wrote to memory of 4684 4228 Battle Seekers Launcher (Beta).exe AddInProcess32.exe PID 4228 wrote to memory of 4684 4228 Battle Seekers Launcher (Beta).exe AddInProcess32.exe PID 4228 wrote to memory of 4684 4228 Battle Seekers Launcher (Beta).exe AddInProcess32.exe PID 4228 wrote to memory of 4684 4228 Battle Seekers Launcher (Beta).exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Battle Seekers Launcher (Beta).exe"C:\Users\Admin\AppData\Local\Temp\Battle Seekers Launcher (Beta).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4228-132-0x00007FF732E30000-0x00007FF7335B1000-memory.dmpFilesize
7.5MB
-
memory/4228-135-0x00007FF732E30000-0x00007FF7335B1000-memory.dmpFilesize
7.5MB
-
memory/4228-136-0x00007FF732E30000-0x00007FF7335B1000-memory.dmpFilesize
7.5MB
-
memory/4228-139-0x00007FF732E30000-0x00007FF7335B1000-memory.dmpFilesize
7.5MB
-
memory/4684-137-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4684-138-0x000000000041834E-mapping.dmp
-
memory/4684-140-0x0000000005D70000-0x0000000006388000-memory.dmpFilesize
6.1MB
-
memory/4684-141-0x0000000005780000-0x0000000005792000-memory.dmpFilesize
72KB
-
memory/4684-142-0x00000000058B0000-0x00000000059BA000-memory.dmpFilesize
1.0MB
-
memory/4684-143-0x00000000057E0000-0x000000000581C000-memory.dmpFilesize
240KB