Analysis
-
max time kernel
291s -
max time network
306s -
platform
windows10-1703_x64 -
resource
win10-20230831-en -
resource tags
arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system -
submitted
04-10-2023 07:07
Static task
static1
Behavioral task
behavioral1
Sample
j1874993.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
j1874993.exe
Resource
win10-20230831-en
General
-
Target
j1874993.exe
-
Size
390KB
-
MD5
917a092ad987565a5dc7994215a7bc4c
-
SHA1
ab1ded1f85f73d5d4213c63d75690be715365e3a
-
SHA256
b9db7b13ef839cf02efebdee5b78555f202c21d69380e3486b182a7399c02f22
-
SHA512
cea17eec1063bef6f683bee8d6f544ee46ab1ae5b8cb366a901f74cd31aa015574903d339cea3283957250710e6cfca8e31432e4b403d5460645a47d8e9184e2
-
SSDEEP
6144:/KXFo/N5ExgFbNOUAHEHIXbLvZAOAiQyhWHf5QPd4mFCN73Vs0BC+:cwDExgFY5vx+iQyQHf5QPdtCdFs0BC+
Malware Config
Extracted
redline
gruha
77.91.124.55:19071
-
auth_value
2f4cf2e668a540e64775b27535cc6892
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
j1874993.exedescription pid process target process PID 3796 set thread context of 5052 3796 j1874993.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3076 3796 WerFault.exe j1874993.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
j1874993.exedescription pid process target process PID 3796 wrote to memory of 5052 3796 j1874993.exe AppLaunch.exe PID 3796 wrote to memory of 5052 3796 j1874993.exe AppLaunch.exe PID 3796 wrote to memory of 5052 3796 j1874993.exe AppLaunch.exe PID 3796 wrote to memory of 5052 3796 j1874993.exe AppLaunch.exe PID 3796 wrote to memory of 5052 3796 j1874993.exe AppLaunch.exe PID 3796 wrote to memory of 5052 3796 j1874993.exe AppLaunch.exe PID 3796 wrote to memory of 5052 3796 j1874993.exe AppLaunch.exe PID 3796 wrote to memory of 5052 3796 j1874993.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\j1874993.exe"C:\Users\Admin\AppData\Local\Temp\j1874993.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1402⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/5052-0-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/5052-4-0x0000000073D70000-0x000000007445E000-memory.dmpFilesize
6.9MB
-
memory/5052-5-0x00000000057B0000-0x00000000057B6000-memory.dmpFilesize
24KB
-
memory/5052-6-0x000000000F140000-0x000000000F746000-memory.dmpFilesize
6.0MB
-
memory/5052-7-0x000000000ECD0000-0x000000000EDDA000-memory.dmpFilesize
1.0MB
-
memory/5052-8-0x0000000009650000-0x0000000009660000-memory.dmpFilesize
64KB
-
memory/5052-9-0x000000000EC00000-0x000000000EC12000-memory.dmpFilesize
72KB
-
memory/5052-10-0x000000000EC60000-0x000000000EC9E000-memory.dmpFilesize
248KB
-
memory/5052-11-0x000000000EDE0000-0x000000000EE2B000-memory.dmpFilesize
300KB
-
memory/5052-16-0x0000000073D70000-0x000000007445E000-memory.dmpFilesize
6.9MB
-
memory/5052-17-0x0000000009650000-0x0000000009660000-memory.dmpFilesize
64KB