Overview
overview
10Static
static
infected/F...98.exe
windows7-x64
8infected/F...98.exe
windows10-2004-x64
8infected/I...er.exe
windows7-x64
10infected/I...er.exe
windows10-2004-x64
10infected/R...ed.exe
windows7-x64
10infected/R...ed.exe
windows10-2004-x64
10infected/S...64.exe
windows7-x64
10infected/S...64.exe
windows10-2004-x64
10infected/b...kO.exe
windows7-x64
10infected/b...kO.exe
windows10-2004-x64
10Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
15/01/2023, 17:11
Static task
static1
Behavioral task
behavioral1
Sample
infected/Furk Ultra_10298.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
infected/Furk Ultra_10298.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
infected/Installer.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
infected/Installer.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
infected/RobloxSynapceX Cracked.exe
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
infected/RobloxSynapceX Cracked.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
infected/Setup x64.exe
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
infected/Setup x64.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
infected/best-setup_FLc4rckO.exe
Resource
win7-20221111-en
Behavioral task
behavioral10
Sample
infected/best-setup_FLc4rckO.exe
Resource
win10v2004-20220812-en
General
-
Target
infected/RobloxSynapceX Cracked.exe
-
Size
521KB
-
MD5
0afb47c295e5bc185b8272dc5a8967b6
-
SHA1
5cedced75b7fc0a2f3457e9ff4e0c98b171b9ccb
-
SHA256
0a7431f4637b27f103a4fb6d8cca52248cb4c7a77c8dd5500ca351c45c355320
-
SHA512
03f49b5f06ebfb4ee42b1e82ad36515a34823904b9d7b3c28e99d9345b2052ea689552e8b9c39b4ca47efa5dbf60ab98cf325397e4be68c759777d7cdd7823dc
-
SSDEEP
12288:O8DF2BeDFTYaOCaDecRe6kFfo13yzbVMyVS:O8DF2wDFTYaCY6kXz1VS
Malware Config
Extracted
redline
82.115.223.46:57672
-
auth_value
422677a3af554849aa4fba45f91db2d0
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 568 set thread context of 520 568 RobloxSynapceX Cracked.exe 29 -
Program crash 1 IoCs
pid pid_target Process procid_target 1448 568 WerFault.exe 22 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 520 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 520 vbc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 568 wrote to memory of 520 568 RobloxSynapceX Cracked.exe 29 PID 568 wrote to memory of 520 568 RobloxSynapceX Cracked.exe 29 PID 568 wrote to memory of 520 568 RobloxSynapceX Cracked.exe 29 PID 568 wrote to memory of 520 568 RobloxSynapceX Cracked.exe 29 PID 568 wrote to memory of 520 568 RobloxSynapceX Cracked.exe 29 PID 568 wrote to memory of 520 568 RobloxSynapceX Cracked.exe 29 PID 568 wrote to memory of 1448 568 RobloxSynapceX Cracked.exe 30 PID 568 wrote to memory of 1448 568 RobloxSynapceX Cracked.exe 30 PID 568 wrote to memory of 1448 568 RobloxSynapceX Cracked.exe 30 PID 568 wrote to memory of 1448 568 RobloxSynapceX Cracked.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe"C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 362⤵
- Program crash
PID:1448
-