Analysis
-
max time kernel
124s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2023 17:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230712-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
file.exe
-
Size
2.5MB
-
MD5
9225af6907f744e62582f10d2ff6e55a
-
SHA1
e980cd01dc2ee38bea8de49eabff1ad84d0cf14f
-
SHA256
801c2bd3ddf4cc21ea6d95eaf5e9bbba3b9f0ce256e4af670217754dd7473a1e
-
SHA512
6e0b824f5bfd2a42bc065fe5de5bf33de48c412b8cc5502e448dd5746305927223530ca44870f92f2b386767e4abad7804d31b34926abdb4b7cb18ad7c9e286d
-
SSDEEP
24576:ezfDdstXT4e+MnrgWlDg8MnmBea3dyY69i1MWY:e6XT4e+GdrLBeq6V
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2584-135-0x0000000000EF0000-0x00000000011BF000-memory.dmp family_redline behavioral2/memory/916-134-0x0000000000400000-0x000000000045A000-memory.dmp family_redline behavioral2/memory/2584-137-0x0000000000EF0000-0x00000000011BF000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 2584 set thread context of 916 2584 file.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3008 2584 WerFault.exe file.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
AppLaunch.exepid process 916 AppLaunch.exe 916 AppLaunch.exe 916 AppLaunch.exe 916 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 916 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
file.exedescription pid process target process PID 2584 wrote to memory of 916 2584 file.exe AppLaunch.exe PID 2584 wrote to memory of 916 2584 file.exe AppLaunch.exe PID 2584 wrote to memory of 916 2584 file.exe AppLaunch.exe PID 2584 wrote to memory of 916 2584 file.exe AppLaunch.exe PID 2584 wrote to memory of 916 2584 file.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 4162⤵
- Program crash
PID:3008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2584 -ip 25841⤵PID:536