Analysis
-
max time kernel
290s -
max time network
297s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
04-10-2023 07:08
Static task
static1
Behavioral task
behavioral1
Sample
j0377021.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
j0377021.exe
Resource
win10-20230915-en
General
-
Target
j0377021.exe
-
Size
390KB
-
MD5
5400ef9b599b97241b92c86f3dbd4cfd
-
SHA1
c1f2456bc1bd87ca2202be79a8e5849e91d99dd1
-
SHA256
eb104ce924ac2c526c482db13312aa44ad634b3b934de628b5e0d4b2b1d60146
-
SHA512
c4d72a3063da664b87d7cb94d4a7e43ea62ec541b68e4ba79622292a9d46355d12a7677a08257358e4793187a944595fd164307fcaabfdd311cecbf22933e630
-
SSDEEP
6144:jhXFo/N5ExgFbNOUAHEHIXbLvZAOSu5rud2lXnr5QfjMrAcVs0BC+:DwDExgFY5vx0uy2lGwrA4s0BC+
Malware Config
Extracted
redline
gruha
77.91.124.55:19071
-
auth_value
2f4cf2e668a540e64775b27535cc6892
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
j0377021.exedescription pid process target process PID 2952 set thread context of 3004 2952 j0377021.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2260 2952 WerFault.exe j0377021.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
j0377021.exedescription pid process target process PID 2952 wrote to memory of 3004 2952 j0377021.exe AppLaunch.exe PID 2952 wrote to memory of 3004 2952 j0377021.exe AppLaunch.exe PID 2952 wrote to memory of 3004 2952 j0377021.exe AppLaunch.exe PID 2952 wrote to memory of 3004 2952 j0377021.exe AppLaunch.exe PID 2952 wrote to memory of 3004 2952 j0377021.exe AppLaunch.exe PID 2952 wrote to memory of 3004 2952 j0377021.exe AppLaunch.exe PID 2952 wrote to memory of 3004 2952 j0377021.exe AppLaunch.exe PID 2952 wrote to memory of 3004 2952 j0377021.exe AppLaunch.exe PID 2952 wrote to memory of 3004 2952 j0377021.exe AppLaunch.exe PID 2952 wrote to memory of 3004 2952 j0377021.exe AppLaunch.exe PID 2952 wrote to memory of 3004 2952 j0377021.exe AppLaunch.exe PID 2952 wrote to memory of 3004 2952 j0377021.exe AppLaunch.exe PID 2952 wrote to memory of 2260 2952 j0377021.exe WerFault.exe PID 2952 wrote to memory of 2260 2952 j0377021.exe WerFault.exe PID 2952 wrote to memory of 2260 2952 j0377021.exe WerFault.exe PID 2952 wrote to memory of 2260 2952 j0377021.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\j0377021.exe"C:\Users\Admin\AppData\Local\Temp\j0377021.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:3004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 762⤵
- Program crash
PID:2260
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3004-0-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3004-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/3004-5-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3004-3-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3004-2-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3004-1-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3004-7-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3004-9-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3004-10-0x00000000747B0000-0x0000000074E9E000-memory.dmpFilesize
6.9MB
-
memory/3004-11-0x0000000000280000-0x0000000000286000-memory.dmpFilesize
24KB
-
memory/3004-12-0x0000000004CF0000-0x0000000004D30000-memory.dmpFilesize
256KB
-
memory/3004-13-0x00000000747B0000-0x0000000074E9E000-memory.dmpFilesize
6.9MB
-
memory/3004-14-0x0000000004CF0000-0x0000000004D30000-memory.dmpFilesize
256KB