Analysis
-
max time kernel
86s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2023 15:36
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
275KB
-
MD5
4b4fcb4bf098de394c89c6aa6eb0480e
-
SHA1
75d41d02227f70002f15e963ec774f6269e7383d
-
SHA256
f98254fc054ad990b23b14f0f1ec3ed61bbe43db4f44cc0ac8510b886b4c6c62
-
SHA512
0a3f2f96054f9339c73857569bd3a9fc1f0d1050434f883b437b99508da4b23f45a0e7f712a8d841c3d37525eb393c45e7ae538816dee4a40a18bf315e4517cf
-
SSDEEP
3072:W3ulWbph6qoA3xKaay6YtbtauzZvBW3oXd9jxfwjKosZUvEz/SV0efZXGkvwg2:W3ulIpQnA3xIOxauVvsYXlfwjXTVkkIB
Malware Config
Extracted
redline
TG
185.244.182.218:2027
-
auth_value
797af1930057d299397fd39ab31da9cc
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 2144 set thread context of 2784 2144 file.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AppLaunch.exepid process 2784 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 2784 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
file.exedescription pid process target process PID 2144 wrote to memory of 2784 2144 file.exe AppLaunch.exe PID 2144 wrote to memory of 2784 2144 file.exe AppLaunch.exe PID 2144 wrote to memory of 2784 2144 file.exe AppLaunch.exe PID 2144 wrote to memory of 2784 2144 file.exe AppLaunch.exe PID 2144 wrote to memory of 2784 2144 file.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2784-134-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2784-139-0x00000000055F0000-0x0000000005C08000-memory.dmpFilesize
6.1MB
-
memory/2784-140-0x0000000005150000-0x000000000525A000-memory.dmpFilesize
1.0MB
-
memory/2784-141-0x0000000005080000-0x0000000005092000-memory.dmpFilesize
72KB
-
memory/2784-142-0x00000000050E0000-0x000000000511C000-memory.dmpFilesize
240KB
-
memory/2784-143-0x0000000005420000-0x0000000005430000-memory.dmpFilesize
64KB
-
memory/2784-144-0x00000000061C0000-0x0000000006764000-memory.dmpFilesize
5.6MB
-
memory/2784-145-0x00000000054D0000-0x0000000005562000-memory.dmpFilesize
584KB
-
memory/2784-146-0x0000000005570000-0x00000000055D6000-memory.dmpFilesize
408KB
-
memory/2784-147-0x0000000006770000-0x00000000067E6000-memory.dmpFilesize
472KB
-
memory/2784-148-0x00000000060D0000-0x0000000006120000-memory.dmpFilesize
320KB
-
memory/2784-149-0x00000000069C0000-0x0000000006B82000-memory.dmpFilesize
1.8MB
-
memory/2784-150-0x00000000070C0000-0x00000000075EC000-memory.dmpFilesize
5.2MB
-
memory/2784-151-0x0000000005420000-0x0000000005430000-memory.dmpFilesize
64KB