redline | c6ba6e0c56909cea5c8b8c1ece68a17db773110c47fa5e3e88a809218596bdce

Resubmissions

04/01/2023, 00:10

230104-af5ndadc88 10

Analysis

max time kernel
55s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/01/2023, 00:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Micetopia/rungame.exe
Size

752.5MB
MD5

5a0474481175e6c7b09bc00b6850bd0d
SHA1

6f8b6c6d94ff99ee259656d17d02107721677a56
SHA256

d9c3952bdeb57e5a7378bb0c97cbf99584e27259c85119e4f2d838746cae2d19
SHA512

9cd140be34ea4ee0eca2ee998e664f53d5e2eab890bd8a7bcea7e9a5134bd666475ad595c7d52eb2e2f72623c5901bc6ec6b26e22955dad7dda52518dceef8bf
SSDEEP

6144:IT6GN8vB8kFDIozpRaV9iktC0KRDyAeP9EBOLrRCOSs9Tdl5ofgfwLoshP+Q3KEv:I4Pa0OH9rWyBw+Tk1qU17Nfn80r+Ga6

Score

10^/10

redline 1086881322_99 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

1086881322_99

themocca.xyz:3306

themocca.xyz:28786

Attributes

auth_value
c7b4b3ad5c912786e8dea8b34a307b0d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 752 set thread context of 1072	752	rungame.exe	28

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1072	AppLaunch.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1072	AppLaunch.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1992	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	taskmgr.exe
Token: SeDebugPrivilege	1072	AppLaunch.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1072	752	rungame.exe	28
PID 752 wrote to memory of 1072	752	rungame.exe	28
PID 752 wrote to memory of 1072	752	rungame.exe	28
PID 752 wrote to memory of 1072	752	rungame.exe	28
PID 752 wrote to memory of 1072	752	rungame.exe	28
PID 752 wrote to memory of 1072	752	rungame.exe	28
PID 752 wrote to memory of 1072	752	rungame.exe	28
PID 752 wrote to memory of 1072	752	rungame.exe	28
PID 752 wrote to memory of 1072	752	rungame.exe	28

C:\Users\Admin\AppData\Local\Temp\Micetopia\rungame.exe
"C:\Users\Admin\AppData\Local\Temp\Micetopia\rungame.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1072

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-54-0x0000000000090000-0x00000000000AE000-memory.dmp

Filesize
120KB

Download
memory/1072-56-0x0000000000090000-0x00000000000AE000-memory.dmp

Filesize
120KB

Download
memory/1072-63-0x0000000000090000-0x00000000000AE000-memory.dmp

Filesize
120KB

Download
memory/1072-62-0x0000000000090000-0x00000000000AE000-memory.dmp

Filesize
120KB

Download
memory/1072-64-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1992-65-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download
memory/1992-66-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download