Analysis
-
max time kernel
126s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2023 04:17
Static task
static1
Behavioral task
behavioral1
Sample
b273c68306bfba8fe55a39fe29c5a160.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
b273c68306bfba8fe55a39fe29c5a160.exe
Resource
win10v2004-20230703-en
General
-
Target
b273c68306bfba8fe55a39fe29c5a160.exe
-
Size
1.8MB
-
MD5
b273c68306bfba8fe55a39fe29c5a160
-
SHA1
4f323552f4303b5394680c4f73452ff63a6972cc
-
SHA256
90a8447971f2150fe9ba03d2680af7bdd33de721e9e1521166a7826ed143a2d8
-
SHA512
4ae57a98fe732d66061469b3b147f10015cea8d7df640657185133a529332b4eaff0ad9e8854a04ccb6d47aa24fe93350451434a2f75a5824cb1154bcf104d00
-
SSDEEP
6144:B0TtB357yFQgb8AQ5wDsNXq+2MffwMvrgJngQ8vFr6:B0TtB357GfsN6nMfLcJgQo
Malware Config
Extracted
redline
@zerOgr4v1ty
94.142.138.4:80
-
auth_value
20d72d1b5f29f6ee8b5b569f88bdb459
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5064 set thread context of 2084 5064 b273c68306bfba8fe55a39fe29c5a160.exe 90 -
Program crash 1 IoCs
pid pid_target Process procid_target 4656 5064 WerFault.exe 83 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2084 AppLaunch.exe 2084 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2084 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 5064 wrote to memory of 2084 5064 b273c68306bfba8fe55a39fe29c5a160.exe 90 PID 5064 wrote to memory of 2084 5064 b273c68306bfba8fe55a39fe29c5a160.exe 90 PID 5064 wrote to memory of 2084 5064 b273c68306bfba8fe55a39fe29c5a160.exe 90 PID 5064 wrote to memory of 2084 5064 b273c68306bfba8fe55a39fe29c5a160.exe 90 PID 5064 wrote to memory of 2084 5064 b273c68306bfba8fe55a39fe29c5a160.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\b273c68306bfba8fe55a39fe29c5a160.exe"C:\Users\Admin\AppData\Local\Temp\b273c68306bfba8fe55a39fe29c5a160.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1402⤵
- Program crash
PID:4656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5064 -ip 50641⤵PID:4952