Analysis
-
max time kernel
91s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2022 22:13
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
249KB
-
MD5
b6a18789ab0263f4eab7ab97287ecbee
-
SHA1
8787cee17a183d20ad0251076168953110ab90be
-
SHA256
651ee42db18f616fad32be821a25bed84dc6c75bad45284382273d3d07d55597
-
SHA512
a1c2c4e3658b041c50948aabc2c86b54a190b7cbcf335825b7e6f631cf06118e5a643c1b9cef47e400691c085c102b92aac4b8210bb35b728ccafe5bafe615bb
-
SSDEEP
1536:x6r3JgI5plLY23JQvnFCohuftzEPKqa4gi6CMhSZFiyBRZkKs3I6C04s1lPkWttv:xK3xtLY2NfWyq+wpRTMaqx
Malware Config
Extracted
redline
Install
142.93.198.232:81
-
auth_value
f9affed97251c08e7a096257ba9edfb2
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral2/memory/4324-132-0x000001754E9B0000-0x000001754E9F2000-memory.dmp net_reactor -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 4324 set thread context of 960 4324 file.exe InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
InstallUtil.exepid process 960 InstallUtil.exe 960 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
file.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 4324 file.exe Token: SeDebugPrivilege 960 InstallUtil.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
file.exedescription pid process target process PID 4324 wrote to memory of 960 4324 file.exe InstallUtil.exe PID 4324 wrote to memory of 960 4324 file.exe InstallUtil.exe PID 4324 wrote to memory of 960 4324 file.exe InstallUtil.exe PID 4324 wrote to memory of 960 4324 file.exe InstallUtil.exe PID 4324 wrote to memory of 960 4324 file.exe InstallUtil.exe PID 4324 wrote to memory of 960 4324 file.exe InstallUtil.exe PID 4324 wrote to memory of 960 4324 file.exe InstallUtil.exe PID 4324 wrote to memory of 960 4324 file.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/960-138-0x0000000005630000-0x000000000573A000-memory.dmpFilesize
1.0MB
-
memory/960-143-0x0000000006B30000-0x0000000006BC2000-memory.dmpFilesize
584KB
-
memory/960-134-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/960-135-0x000000000041B58A-mapping.dmp
-
memory/960-139-0x0000000005560000-0x0000000005572000-memory.dmpFilesize
72KB
-
memory/960-137-0x0000000005AB0000-0x00000000060C8000-memory.dmpFilesize
6.1MB
-
memory/960-145-0x0000000007C80000-0x00000000081AC000-memory.dmpFilesize
5.2MB
-
memory/960-144-0x0000000007580000-0x0000000007742000-memory.dmpFilesize
1.8MB
-
memory/960-142-0x0000000006FD0000-0x0000000007574000-memory.dmpFilesize
5.6MB
-
memory/960-141-0x00000000068A0000-0x0000000006906000-memory.dmpFilesize
408KB
-
memory/960-140-0x0000000005740000-0x000000000577C000-memory.dmpFilesize
240KB
-
memory/4324-136-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/4324-132-0x000001754E9B0000-0x000001754E9F2000-memory.dmpFilesize
264KB
-
memory/4324-133-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB