Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2023 02:21
Static task
static1
Behavioral task
behavioral1
Sample
a568121c4b1c4b36b77ef499167b265f.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
a568121c4b1c4b36b77ef499167b265f.exe
Resource
win10v2004-20230220-en
General
-
Target
a568121c4b1c4b36b77ef499167b265f.exe
-
Size
1.4MB
-
MD5
a568121c4b1c4b36b77ef499167b265f
-
SHA1
92af7c91cedcdcd39b3ae2c8a2430b4789f3a90e
-
SHA256
a44ee9b6798df416a1186c178f7aa03c29bc912792cfab520f35486be3afd6bc
-
SHA512
dc73d4437a34f05178c3b28f80247d6d77e5171c60b554b626c09fb2c49b0e379f7f60b2d057e13027836d4cc605344f89988881737a5f39949205809f896bef
-
SSDEEP
24576:4tj4/Bk1qWa5ypygsQks5KkemsHikXWvSOcOxVjKX4oSpckFmgiddd+ADb:4tj4/BAqWVtnks5KkemINXWvSlOxQX4G
Malware Config
Extracted
redline
m2
80.85.157.78:38561
-
auth_value
6e2d096364fb8cafaa57bb78f353a4da
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
a568121c4b1c4b36b77ef499167b265f.exedescription pid process target process PID 632 set thread context of 2376 632 a568121c4b1c4b36b77ef499167b265f.exe ngentask.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
a568121c4b1c4b36b77ef499167b265f.exengentask.exepid process 632 a568121c4b1c4b36b77ef499167b265f.exe 632 a568121c4b1c4b36b77ef499167b265f.exe 632 a568121c4b1c4b36b77ef499167b265f.exe 632 a568121c4b1c4b36b77ef499167b265f.exe 632 a568121c4b1c4b36b77ef499167b265f.exe 632 a568121c4b1c4b36b77ef499167b265f.exe 632 a568121c4b1c4b36b77ef499167b265f.exe 632 a568121c4b1c4b36b77ef499167b265f.exe 632 a568121c4b1c4b36b77ef499167b265f.exe 632 a568121c4b1c4b36b77ef499167b265f.exe 2376 ngentask.exe 2376 ngentask.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ngentask.exedescription pid process Token: SeDebugPrivilege 2376 ngentask.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a568121c4b1c4b36b77ef499167b265f.exedescription pid process target process PID 632 wrote to memory of 1500 632 a568121c4b1c4b36b77ef499167b265f.exe ngentask.exe PID 632 wrote to memory of 1500 632 a568121c4b1c4b36b77ef499167b265f.exe ngentask.exe PID 632 wrote to memory of 1500 632 a568121c4b1c4b36b77ef499167b265f.exe ngentask.exe PID 632 wrote to memory of 2376 632 a568121c4b1c4b36b77ef499167b265f.exe ngentask.exe PID 632 wrote to memory of 2376 632 a568121c4b1c4b36b77ef499167b265f.exe ngentask.exe PID 632 wrote to memory of 2376 632 a568121c4b1c4b36b77ef499167b265f.exe ngentask.exe PID 632 wrote to memory of 2376 632 a568121c4b1c4b36b77ef499167b265f.exe ngentask.exe PID 632 wrote to memory of 2376 632 a568121c4b1c4b36b77ef499167b265f.exe ngentask.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a568121c4b1c4b36b77ef499167b265f.exe"C:\Users\Admin\AppData\Local\Temp\a568121c4b1c4b36b77ef499167b265f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/632-134-0x000000000BCC0000-0x000000000BE46000-memory.dmpFilesize
1.5MB
-
memory/2376-135-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2376-137-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2376-138-0x000000000B7C0000-0x000000000BDD8000-memory.dmpFilesize
6.1MB
-
memory/2376-139-0x000000000D150000-0x000000000D25A000-memory.dmpFilesize
1.0MB
-
memory/2376-140-0x000000000D040000-0x000000000D052000-memory.dmpFilesize
72KB
-
memory/2376-141-0x000000000D060000-0x000000000D09C000-memory.dmpFilesize
240KB
-
memory/2376-142-0x00000000057C0000-0x00000000057D0000-memory.dmpFilesize
64KB
-
memory/2376-143-0x000000000D420000-0x000000000D496000-memory.dmpFilesize
472KB
-
memory/2376-144-0x000000000D540000-0x000000000D5D2000-memory.dmpFilesize
584KB
-
memory/2376-145-0x000000000DB90000-0x000000000E134000-memory.dmpFilesize
5.6MB
-
memory/2376-146-0x000000000D5E0000-0x000000000D646000-memory.dmpFilesize
408KB
-
memory/2376-147-0x000000000D820000-0x000000000D9E2000-memory.dmpFilesize
1.8MB
-
memory/2376-148-0x000000000E670000-0x000000000EB9C000-memory.dmpFilesize
5.2MB
-
memory/2376-149-0x000000000D710000-0x000000000D760000-memory.dmpFilesize
320KB
-
memory/2376-150-0x00000000057C0000-0x00000000057D0000-memory.dmpFilesize
64KB