Analysis
-
max time kernel
91s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
14-02-2023 16:39
Static task
static1
Behavioral task
behavioral1
Sample
301ff7a420fd0552c93742d4175275c3.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
301ff7a420fd0552c93742d4175275c3.exe
Resource
win10v2004-20220901-en
General
-
Target
301ff7a420fd0552c93742d4175275c3.exe
-
Size
263KB
-
MD5
301ff7a420fd0552c93742d4175275c3
-
SHA1
fb56ef9a722c6aa8d4f3466d9d582cacee0d9b2a
-
SHA256
b0a89158dea9dcc2316980ad63bd51fe9940d9fb3457ecf103aceeafa6b8dea0
-
SHA512
f752934c917002a8cdc3bd5f1f5e9117658c7cc1b598560c7fc8d211fb93e5ebf301b30bea20e47d9416d2488ab57abaf0a9ccd684405c61e7488816a2d341c8
-
SSDEEP
6144:wusgrsMWFXLukIGXpKtWQu3OoZlC+59COUo:wnNlL/I2n35l599Uo
Malware Config
Extracted
redline
37.220.87.13:40676
-
auth_value
6a55bb111a7651699b2b1febe113c3ae
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
301ff7a420fd0552c93742d4175275c3.exedescription pid process target process PID 3284 set thread context of 4844 3284 301ff7a420fd0552c93742d4175275c3.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 4844 AppLaunch.exe 4844 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 4844 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
301ff7a420fd0552c93742d4175275c3.exedescription pid process target process PID 3284 wrote to memory of 4844 3284 301ff7a420fd0552c93742d4175275c3.exe AppLaunch.exe PID 3284 wrote to memory of 4844 3284 301ff7a420fd0552c93742d4175275c3.exe AppLaunch.exe PID 3284 wrote to memory of 4844 3284 301ff7a420fd0552c93742d4175275c3.exe AppLaunch.exe PID 3284 wrote to memory of 4844 3284 301ff7a420fd0552c93742d4175275c3.exe AppLaunch.exe PID 3284 wrote to memory of 4844 3284 301ff7a420fd0552c93742d4175275c3.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\301ff7a420fd0552c93742d4175275c3.exe"C:\Users\Admin\AppData\Local\Temp\301ff7a420fd0552c93742d4175275c3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4844-132-0x0000000000000000-mapping.dmp
-
memory/4844-133-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4844-138-0x0000000005410000-0x0000000005A28000-memory.dmpFilesize
6.1MB
-
memory/4844-139-0x0000000004F40000-0x000000000504A000-memory.dmpFilesize
1.0MB
-
memory/4844-140-0x0000000004E70000-0x0000000004E82000-memory.dmpFilesize
72KB
-
memory/4844-141-0x0000000004ED0000-0x0000000004F0C000-memory.dmpFilesize
240KB
-
memory/4844-142-0x0000000005210000-0x00000000052A2000-memory.dmpFilesize
584KB
-
memory/4844-143-0x0000000005FE0000-0x0000000006584000-memory.dmpFilesize
5.6MB
-
memory/4844-144-0x00000000052B0000-0x0000000005316000-memory.dmpFilesize
408KB
-
memory/4844-145-0x0000000006760000-0x0000000006922000-memory.dmpFilesize
1.8MB
-
memory/4844-146-0x0000000006E60000-0x000000000738C000-memory.dmpFilesize
5.2MB
-
memory/4844-147-0x0000000006690000-0x0000000006706000-memory.dmpFilesize
472KB
-
memory/4844-148-0x0000000006710000-0x0000000006760000-memory.dmpFilesize
320KB