Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
20-07-2023 04:20
Static task
static1
Behavioral task
behavioral1
Sample
b273c68306bfba8fe55a39fe29c5a160.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
b273c68306bfba8fe55a39fe29c5a160.exe
Resource
win10v2004-20230703-en
General
-
Target
b273c68306bfba8fe55a39fe29c5a160.exe
-
Size
1.8MB
-
MD5
b273c68306bfba8fe55a39fe29c5a160
-
SHA1
4f323552f4303b5394680c4f73452ff63a6972cc
-
SHA256
90a8447971f2150fe9ba03d2680af7bdd33de721e9e1521166a7826ed143a2d8
-
SHA512
4ae57a98fe732d66061469b3b147f10015cea8d7df640657185133a529332b4eaff0ad9e8854a04ccb6d47aa24fe93350451434a2f75a5824cb1154bcf104d00
-
SSDEEP
6144:B0TtB357yFQgb8AQ5wDsNXq+2MffwMvrgJngQ8vFr6:B0TtB357GfsN6nMfLcJgQo
Malware Config
Extracted
redline
@zerOgr4v1ty
94.142.138.4:80
-
auth_value
20d72d1b5f29f6ee8b5b569f88bdb459
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2380 set thread context of 1592 2380 b273c68306bfba8fe55a39fe29c5a160.exe 29 -
Program crash 1 IoCs
pid pid_target Process procid_target 1744 2380 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1592 AppLaunch.exe 1592 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1592 AppLaunch.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2380 wrote to memory of 1592 2380 b273c68306bfba8fe55a39fe29c5a160.exe 29 PID 2380 wrote to memory of 1592 2380 b273c68306bfba8fe55a39fe29c5a160.exe 29 PID 2380 wrote to memory of 1592 2380 b273c68306bfba8fe55a39fe29c5a160.exe 29 PID 2380 wrote to memory of 1592 2380 b273c68306bfba8fe55a39fe29c5a160.exe 29 PID 2380 wrote to memory of 1592 2380 b273c68306bfba8fe55a39fe29c5a160.exe 29 PID 2380 wrote to memory of 1592 2380 b273c68306bfba8fe55a39fe29c5a160.exe 29 PID 2380 wrote to memory of 1592 2380 b273c68306bfba8fe55a39fe29c5a160.exe 29 PID 2380 wrote to memory of 1592 2380 b273c68306bfba8fe55a39fe29c5a160.exe 29 PID 2380 wrote to memory of 1592 2380 b273c68306bfba8fe55a39fe29c5a160.exe 29 PID 2380 wrote to memory of 1744 2380 b273c68306bfba8fe55a39fe29c5a160.exe 30 PID 2380 wrote to memory of 1744 2380 b273c68306bfba8fe55a39fe29c5a160.exe 30 PID 2380 wrote to memory of 1744 2380 b273c68306bfba8fe55a39fe29c5a160.exe 30 PID 2380 wrote to memory of 1744 2380 b273c68306bfba8fe55a39fe29c5a160.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\b273c68306bfba8fe55a39fe29c5a160.exe"C:\Users\Admin\AppData\Local\Temp\b273c68306bfba8fe55a39fe29c5a160.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 362⤵
- Program crash
PID:1744
-