Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
13-04-2023 09:04
Static task
static1
Behavioral task
behavioral1
Sample
EmNpZQKFsjAgeAss.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
EmNpZQKFsjAgeAss.exe
Resource
win7-20230220-en
General
-
Target
EmNpZQKFsjAgeAss.exe
-
Size
502KB
-
MD5
da3491ec1082ea275af89ded590fedbc
-
SHA1
af5a582a513f3b0c727551d5a1646b8b3f14bf2f
-
SHA256
1b33ac622d65ce8b666f4ed01549eaec45ee0b43242c073cf890bc6df61459e5
-
SHA512
67e8f450a0360a1aff737278c25fec3bf6ae485d813ba3bc3c311f6940d0754c88fb7818e556c44b4265dd436a3fbc4616882836003e6ef05c49117c54cd7766
-
SSDEEP
6144:i+B9OckfNSJuQQdrpFgi+OP1xN/R+5+59IYMbBmka/go6UhcX7elbKTu19bfF/Ho:i+nOcENSkQJi/N/RWw9vlkjo63X3uz
Malware Config
Extracted
redline
cheat
127.0.0.1:15235
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral3/memory/1004-136-0x0000000005B50000-0x0000000006168000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/1004-134-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/1004-134-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
EmNpZQKFsjAgeAss.exedescription pid process target process PID 3744 set thread context of 1004 3744 EmNpZQKFsjAgeAss.exe RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1004 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EmNpZQKFsjAgeAss.exedescription pid process target process PID 3744 wrote to memory of 1004 3744 EmNpZQKFsjAgeAss.exe RegAsm.exe PID 3744 wrote to memory of 1004 3744 EmNpZQKFsjAgeAss.exe RegAsm.exe PID 3744 wrote to memory of 1004 3744 EmNpZQKFsjAgeAss.exe RegAsm.exe PID 3744 wrote to memory of 1004 3744 EmNpZQKFsjAgeAss.exe RegAsm.exe PID 3744 wrote to memory of 1004 3744 EmNpZQKFsjAgeAss.exe RegAsm.exe PID 3744 wrote to memory of 1004 3744 EmNpZQKFsjAgeAss.exe RegAsm.exe PID 3744 wrote to memory of 1004 3744 EmNpZQKFsjAgeAss.exe RegAsm.exe PID 3744 wrote to memory of 1004 3744 EmNpZQKFsjAgeAss.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EmNpZQKFsjAgeAss.exe"C:\Users\Admin\AppData\Local\Temp\EmNpZQKFsjAgeAss.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1004-134-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1004-136-0x0000000005B50000-0x0000000006168000-memory.dmpFilesize
6.1MB
-
memory/1004-137-0x0000000005590000-0x00000000055A2000-memory.dmpFilesize
72KB
-
memory/1004-138-0x00000000055F0000-0x000000000562C000-memory.dmpFilesize
240KB
-
memory/1004-139-0x0000000005520000-0x0000000005530000-memory.dmpFilesize
64KB
-
memory/1004-140-0x00000000058B0000-0x00000000059BA000-memory.dmpFilesize
1.0MB
-
memory/1004-141-0x0000000005520000-0x0000000005530000-memory.dmpFilesize
64KB
-
memory/3744-133-0x0000000000D40000-0x0000000000DC4000-memory.dmpFilesize
528KB