Analysis
-
max time kernel
91s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2023 23:44
Static task
static1
Behavioral task
behavioral1
Sample
ValorantExternal v3.4.1.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
ValorantExternal v3.4.1.exe
Resource
win10v2004-20230703-en
General
-
Target
ValorantExternal v3.4.1.exe
-
Size
978KB
-
MD5
c36eae4946702af2ff4896cc89f13823
-
SHA1
7b136099fa2e6ef706bb88d0ba7c69b4386705a1
-
SHA256
55b003f9fc3a0c8b538d04701cb2fb57441bdd24144b69f258eb1df7b74de79e
-
SHA512
308cdfe1fb9034f98bf5726608d427e6b3c25656eee5c4003ec0399ea022b88f40b87c4f4acff823f39278237457e93c93f439259212e5d4fd207c2b598292e9
-
SSDEEP
12288:me9LrhpIF+G5PMZ619CsajupXmzrgSyszQuUg4sEnduzzercMgO4WvN3NMoqd:p9fhpIwG5PMZ6pgQuUgUnOzU3NB
Malware Config
Extracted
redline
@wtflooool
94.142.138.4:80
-
auth_value
73b07b01031cf6f2730ccdf9b9448a33
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ValorantExternal v3.4.1.exedescription pid process target process PID 5064 set thread context of 2636 5064 ValorantExternal v3.4.1.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1696 5064 WerFault.exe ValorantExternal v3.4.1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 2636 AppLaunch.exe 2636 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 2636 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
ValorantExternal v3.4.1.exedescription pid process target process PID 5064 wrote to memory of 2636 5064 ValorantExternal v3.4.1.exe AppLaunch.exe PID 5064 wrote to memory of 2636 5064 ValorantExternal v3.4.1.exe AppLaunch.exe PID 5064 wrote to memory of 2636 5064 ValorantExternal v3.4.1.exe AppLaunch.exe PID 5064 wrote to memory of 2636 5064 ValorantExternal v3.4.1.exe AppLaunch.exe PID 5064 wrote to memory of 2636 5064 ValorantExternal v3.4.1.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ValorantExternal v3.4.1.exe"C:\Users\Admin\AppData\Local\Temp\ValorantExternal v3.4.1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 3002⤵
- Program crash
PID:1696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5064 -ip 50641⤵PID:2772