Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-03-2023 15:36
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
275KB
-
MD5
4b4fcb4bf098de394c89c6aa6eb0480e
-
SHA1
75d41d02227f70002f15e963ec774f6269e7383d
-
SHA256
f98254fc054ad990b23b14f0f1ec3ed61bbe43db4f44cc0ac8510b886b4c6c62
-
SHA512
0a3f2f96054f9339c73857569bd3a9fc1f0d1050434f883b437b99508da4b23f45a0e7f712a8d841c3d37525eb393c45e7ae538816dee4a40a18bf315e4517cf
-
SSDEEP
3072:W3ulWbph6qoA3xKaay6YtbtauzZvBW3oXd9jxfwjKosZUvEz/SV0efZXGkvwg2:W3ulIpQnA3xIOxauVvsYXlfwjXTVkkIB
Malware Config
Extracted
redline
TG
185.244.182.218:2027
-
auth_value
797af1930057d299397fd39ab31da9cc
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 2008 set thread context of 1784 2008 file.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AppLaunch.exepid process 1784 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 1784 AppLaunch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exedescription pid process target process PID 2008 wrote to memory of 1784 2008 file.exe AppLaunch.exe PID 2008 wrote to memory of 1784 2008 file.exe AppLaunch.exe PID 2008 wrote to memory of 1784 2008 file.exe AppLaunch.exe PID 2008 wrote to memory of 1784 2008 file.exe AppLaunch.exe PID 2008 wrote to memory of 1784 2008 file.exe AppLaunch.exe PID 2008 wrote to memory of 1784 2008 file.exe AppLaunch.exe PID 2008 wrote to memory of 1784 2008 file.exe AppLaunch.exe PID 2008 wrote to memory of 1784 2008 file.exe AppLaunch.exe PID 2008 wrote to memory of 1784 2008 file.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1784-55-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1784-56-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1784-60-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/1784-63-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1784-62-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1784-64-0x0000000004B80000-0x0000000004BC0000-memory.dmpFilesize
256KB