Analysis
-
max time kernel
180s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2023, 14:41
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.17696.31214.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.17696.31214.exe
Resource
win10v2004-20221111-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.17696.31214.exe
-
Size
239KB
-
MD5
c13f79f3a549175a175e82bb335a7d08
-
SHA1
fed1581184a575f662b234a1572b3e0a247207a8
-
SHA256
d434a19741b7854ed6c3f8f4a35bfbd0400516abc2a3b6297835df01a8b660cb
-
SHA512
edefd04db56d108543419e8baaf30df992108412275458568206cf8554ab098204bc536ca895f6fad5f04389e687951edb334e2467905f6aa90a471560f967cc
-
SSDEEP
3072:kN+eckJ9E6A98QECSMHUCeDCDrD/9k6tSdtRqjtUy6XxTpfQ3Emxby1rrrrrrrrI:ockJ9zA98/0HO4tWvYsAl6rrrrrrrrI
Malware Config
Extracted
redline
1
librchichelpai.shop:81
rniwondunuifac.shop:81
-
auth_value
b6c86adb7106e9ee7247628f59e06830
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3184 set thread context of 400 3184 SecuriteInfo.com.Win32.PWSX-gen.17696.31214.exe 79 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 400 AppLaunch.exe 400 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 400 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3184 wrote to memory of 400 3184 SecuriteInfo.com.Win32.PWSX-gen.17696.31214.exe 79 PID 3184 wrote to memory of 400 3184 SecuriteInfo.com.Win32.PWSX-gen.17696.31214.exe 79 PID 3184 wrote to memory of 400 3184 SecuriteInfo.com.Win32.PWSX-gen.17696.31214.exe 79 PID 3184 wrote to memory of 400 3184 SecuriteInfo.com.Win32.PWSX-gen.17696.31214.exe 79 PID 3184 wrote to memory of 400 3184 SecuriteInfo.com.Win32.PWSX-gen.17696.31214.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17696.31214.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17696.31214.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400
-