Analysis

  • max time kernel
    126s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2023 04:17

General

  • Target

    b273c68306bfba8fe55a39fe29c5a160.exe

  • Size

    1.8MB

  • MD5

    b273c68306bfba8fe55a39fe29c5a160

  • SHA1

    4f323552f4303b5394680c4f73452ff63a6972cc

  • SHA256

    90a8447971f2150fe9ba03d2680af7bdd33de721e9e1521166a7826ed143a2d8

  • SHA512

    4ae57a98fe732d66061469b3b147f10015cea8d7df640657185133a529332b4eaff0ad9e8854a04ccb6d47aa24fe93350451434a2f75a5824cb1154bcf104d00

  • SSDEEP

    6144:B0TtB357yFQgb8AQ5wDsNXq+2MffwMvrgJngQ8vFr6:B0TtB357GfsN6nMfLcJgQo

Malware Config

Extracted

Family

redline

Botnet

@zerOgr4v1ty

C2

94.142.138.4:80

Attributes
  • auth_value

    20d72d1b5f29f6ee8b5b569f88bdb459

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b273c68306bfba8fe55a39fe29c5a160.exe
    "C:\Users\Admin\AppData\Local\Temp\b273c68306bfba8fe55a39fe29c5a160.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2084
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 140
      2⤵
      • Program crash
      PID:4656
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5064 -ip 5064
    1⤵
      PID:4952

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2084-146-0x0000000005610000-0x0000000005686000-memory.dmp

      Filesize

      472KB

    • memory/2084-140-0x0000000074570000-0x0000000074D20000-memory.dmp

      Filesize

      7.7MB

    • memory/2084-147-0x0000000005730000-0x00000000057C2000-memory.dmp

      Filesize

      584KB

    • memory/2084-148-0x000000000A020000-0x000000000A5C4000-memory.dmp

      Filesize

      5.6MB

    • memory/2084-142-0x0000000006080000-0x0000000006698000-memory.dmp

      Filesize

      6.1MB

    • memory/2084-143-0x0000000005CE0000-0x0000000005DEA000-memory.dmp

      Filesize

      1.0MB

    • memory/2084-144-0x0000000005E10000-0x0000000005E22000-memory.dmp

      Filesize

      72KB

    • memory/2084-145-0x0000000005E70000-0x0000000005EAC000-memory.dmp

      Filesize

      240KB

    • memory/2084-156-0x0000000074570000-0x0000000074D20000-memory.dmp

      Filesize

      7.7MB

    • memory/2084-134-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/2084-141-0x0000000004E40000-0x0000000004E50000-memory.dmp

      Filesize

      64KB

    • memory/2084-149-0x0000000006FC0000-0x0000000007026000-memory.dmp

      Filesize

      408KB

    • memory/2084-150-0x0000000074570000-0x0000000074D20000-memory.dmp

      Filesize

      7.7MB

    • memory/2084-151-0x0000000007030000-0x0000000007080000-memory.dmp

      Filesize

      320KB

    • memory/2084-152-0x000000000B0C0000-0x000000000B282000-memory.dmp

      Filesize

      1.8MB

    • memory/2084-153-0x000000000B7C0000-0x000000000BCEC000-memory.dmp

      Filesize

      5.2MB

    • memory/2084-154-0x0000000004E40000-0x0000000004E50000-memory.dmp

      Filesize

      64KB

    • memory/5064-135-0x00000000002A0000-0x0000000000466000-memory.dmp

      Filesize

      1.8MB