Analysis
-
max time kernel
113s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2023 11:14
Static task
static1
Behavioral task
behavioral1
Sample
validator.dll.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
validator.dll.exe
Resource
win10v2004-20230220-en
General
-
Target
validator.dll.exe
-
Size
12KB
-
MD5
03c3f979feffbf02e7ab9a66f9a1f7b4
-
SHA1
826e5038b32c3975821eb8641e484b575fdfa7e9
-
SHA256
f746b0a6d47ddc6b6a03d78a7dca6e61bbb32a35cdf89073cd245eb4662cfbfd
-
SHA512
14451960a5e111d44d58e0660a0d5f1dfcae74046fd595d6e8f758c0d01181141201af0813425e571f2296b9cab2ed314ac2a65d1ba139d4deaf6180b5e9a8ea
-
SSDEEP
192:wMJ0X7yZWu7s3+7DBPSVcWF28A6lJGNyQK+NAA5yQ03826p:wvLygTO7D4qWF28bJHQllm6
Malware Config
Extracted
redline
Love Fi Lo
111.90.149.195:55186
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1756-136-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1756-136-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 61 ipinfo.io 62 ipinfo.io -
Suspicious use of SetThreadContext 1 IoCs
Processes:
validator.dll.exedescription pid process target process PID 2108 set thread context of 1756 2108 validator.dll.exe aspnet_regbrowsers.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
validator.dll.exeaspnet_regbrowsers.exedescription pid process Token: SeDebugPrivilege 2108 validator.dll.exe Token: SeDebugPrivilege 1756 aspnet_regbrowsers.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
validator.dll.exedescription pid process target process PID 2108 wrote to memory of 1756 2108 validator.dll.exe aspnet_regbrowsers.exe PID 2108 wrote to memory of 1756 2108 validator.dll.exe aspnet_regbrowsers.exe PID 2108 wrote to memory of 1756 2108 validator.dll.exe aspnet_regbrowsers.exe PID 2108 wrote to memory of 1756 2108 validator.dll.exe aspnet_regbrowsers.exe PID 2108 wrote to memory of 1756 2108 validator.dll.exe aspnet_regbrowsers.exe PID 2108 wrote to memory of 1756 2108 validator.dll.exe aspnet_regbrowsers.exe PID 2108 wrote to memory of 1756 2108 validator.dll.exe aspnet_regbrowsers.exe PID 2108 wrote to memory of 1756 2108 validator.dll.exe aspnet_regbrowsers.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\validator.dll.exe"C:\Users\Admin\AppData\Local\Temp\validator.dll.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756