Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23-05-2023 18:51
Static task
static1
Behavioral task
behavioral1
Sample
2bfddaf30f7a81fd209a17e8bc06c5a6.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2bfddaf30f7a81fd209a17e8bc06c5a6.exe
Resource
win10v2004-20230220-en
General
-
Target
2bfddaf30f7a81fd209a17e8bc06c5a6.exe
-
Size
308KB
-
MD5
2bfddaf30f7a81fd209a17e8bc06c5a6
-
SHA1
b23725a3a0c01ddd4d07699b03acf33426bc94ec
-
SHA256
c5267206c758ddf1b172ee1eb0e09f4251c5dec7eda3b54a9778baebb7f39b94
-
SHA512
a44e56ee7f03f6a1ac262147e1a89fd4226e7696bc427ad6e89bd7056350d4285aaeb671327febf118ae88a0e2b0820e4280d9ae49ec80f78e610dd3ce3a00ed
-
SSDEEP
6144:l2CKgIA9DRQhEttFvFheGReKF/CYgaJQrvBrfNHkI:VIcDGhE7FdNlRfgwQTb3
Malware Config
Extracted
redline
0
65.108.210.134:23732
-
auth_value
29b638406f4732fa6a2b4b943e4d21df
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
2bfddaf30f7a81fd209a17e8bc06c5a6.exedescription pid process target process PID 1128 set thread context of 1680 1128 2bfddaf30f7a81fd209a17e8bc06c5a6.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 1680 AppLaunch.exe 1680 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 1680 AppLaunch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2bfddaf30f7a81fd209a17e8bc06c5a6.exedescription pid process target process PID 1128 wrote to memory of 1680 1128 2bfddaf30f7a81fd209a17e8bc06c5a6.exe AppLaunch.exe PID 1128 wrote to memory of 1680 1128 2bfddaf30f7a81fd209a17e8bc06c5a6.exe AppLaunch.exe PID 1128 wrote to memory of 1680 1128 2bfddaf30f7a81fd209a17e8bc06c5a6.exe AppLaunch.exe PID 1128 wrote to memory of 1680 1128 2bfddaf30f7a81fd209a17e8bc06c5a6.exe AppLaunch.exe PID 1128 wrote to memory of 1680 1128 2bfddaf30f7a81fd209a17e8bc06c5a6.exe AppLaunch.exe PID 1128 wrote to memory of 1680 1128 2bfddaf30f7a81fd209a17e8bc06c5a6.exe AppLaunch.exe PID 1128 wrote to memory of 1680 1128 2bfddaf30f7a81fd209a17e8bc06c5a6.exe AppLaunch.exe PID 1128 wrote to memory of 1680 1128 2bfddaf30f7a81fd209a17e8bc06c5a6.exe AppLaunch.exe PID 1128 wrote to memory of 1680 1128 2bfddaf30f7a81fd209a17e8bc06c5a6.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bfddaf30f7a81fd209a17e8bc06c5a6.exe"C:\Users\Admin\AppData\Local\Temp\2bfddaf30f7a81fd209a17e8bc06c5a6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1680-55-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1680-56-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1680-60-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/1680-63-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1680-62-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1680-64-0x0000000004E90000-0x0000000004ED0000-memory.dmpFilesize
256KB