Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
16-01-2023 22:43
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
615KB
-
MD5
e463c70b1eb5e110b0cd711ea594a883
-
SHA1
c1aefcf8a326a0f6e3aa7e97ef4b51c8a320b722
-
SHA256
e29dd9daaec793a33b208c9fad88f9bd4c2f2629e088ee21d28204001b86f67d
-
SHA512
d5ca66878ddbf7af59d5f9eda7778b003513a332ec7e83c0ac6f5ce2580bbbeba580bba7e531099d24a29c8bbf8b5421799a1e50ec6ee54d733e4a7ff99fd658
-
SSDEEP
12288:G5H1uk5XGi68TuzHVHiVg8P3+dNxRRXZBFNK01+nMYkBx:G5kk5XGi68Te1HiRORrkg+nM9H
Malware Config
Extracted
redline
79.137.192.41:45006
-
auth_value
e8ac1be31d35702b6f71bee03fac7e82
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 2016 set thread context of 644 2016 file.exe InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
InstallUtil.exepid process 644 InstallUtil.exe 644 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
InstallUtil.exedescription pid process Token: SeDebugPrivilege 644 InstallUtil.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
file.exedescription pid process target process PID 2016 wrote to memory of 644 2016 file.exe InstallUtil.exe PID 2016 wrote to memory of 644 2016 file.exe InstallUtil.exe PID 2016 wrote to memory of 644 2016 file.exe InstallUtil.exe PID 2016 wrote to memory of 644 2016 file.exe InstallUtil.exe PID 2016 wrote to memory of 644 2016 file.exe InstallUtil.exe PID 2016 wrote to memory of 644 2016 file.exe InstallUtil.exe PID 2016 wrote to memory of 644 2016 file.exe InstallUtil.exe PID 2016 wrote to memory of 644 2016 file.exe InstallUtil.exe PID 2016 wrote to memory of 644 2016 file.exe InstallUtil.exe PID 2016 wrote to memory of 644 2016 file.exe InstallUtil.exe PID 2016 wrote to memory of 644 2016 file.exe InstallUtil.exe PID 2016 wrote to memory of 644 2016 file.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/644-56-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/644-57-0x000000000041B58E-mapping.dmp
-
memory/644-59-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/644-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/644-62-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/2016-54-0x0000000000E30000-0x0000000000ECC000-memory.dmpFilesize
624KB
-
memory/2016-55-0x00000000003C0000-0x000000000043C000-memory.dmpFilesize
496KB