Analysis
-
max time kernel
292s -
max time network
307s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
04-10-2023 07:10
Static task
static1
Behavioral task
behavioral1
Sample
j7464231.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
j7464231.exe
Resource
win10-20230915-en
General
-
Target
j7464231.exe
-
Size
310KB
-
MD5
785964441bf75233d9a0e900d791b0ec
-
SHA1
0b2be90f3d98b8efce0f0c9339b4108f8e94cda6
-
SHA256
00f3d069d6b0df663223b54552695c90e33fdf049466e48c1a794312ef1854e8
-
SHA512
1dff833f36a5952b9fc9bcf5eb3ffdcb9e6292f2401d78f5efcd544848097bb5f3a484ddf4a81cfd8908986b9c4239286e57bb4905c9cde9fab945ea841c974f
-
SSDEEP
6144:WhzDq0Bru5tnsqWQYeamN4nXyohSUGzOjrj:Wtq0BruRa+yXyohSo/j
Malware Config
Extracted
redline
gruha
77.91.124.55:19071
-
auth_value
2f4cf2e668a540e64775b27535cc6892
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
j7464231.exedescription pid process target process PID 2860 set thread context of 2704 2860 j7464231.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2332 2860 WerFault.exe j7464231.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
j7464231.exedescription pid process target process PID 2860 wrote to memory of 2704 2860 j7464231.exe AppLaunch.exe PID 2860 wrote to memory of 2704 2860 j7464231.exe AppLaunch.exe PID 2860 wrote to memory of 2704 2860 j7464231.exe AppLaunch.exe PID 2860 wrote to memory of 2704 2860 j7464231.exe AppLaunch.exe PID 2860 wrote to memory of 2704 2860 j7464231.exe AppLaunch.exe PID 2860 wrote to memory of 2704 2860 j7464231.exe AppLaunch.exe PID 2860 wrote to memory of 2704 2860 j7464231.exe AppLaunch.exe PID 2860 wrote to memory of 2704 2860 j7464231.exe AppLaunch.exe PID 2860 wrote to memory of 2704 2860 j7464231.exe AppLaunch.exe PID 2860 wrote to memory of 2704 2860 j7464231.exe AppLaunch.exe PID 2860 wrote to memory of 2704 2860 j7464231.exe AppLaunch.exe PID 2860 wrote to memory of 2704 2860 j7464231.exe AppLaunch.exe PID 2860 wrote to memory of 2332 2860 j7464231.exe WerFault.exe PID 2860 wrote to memory of 2332 2860 j7464231.exe WerFault.exe PID 2860 wrote to memory of 2332 2860 j7464231.exe WerFault.exe PID 2860 wrote to memory of 2332 2860 j7464231.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\j7464231.exe"C:\Users\Admin\AppData\Local\Temp\j7464231.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 682⤵
- Program crash
PID:2332
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2704-0-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2704-1-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2704-2-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2704-3-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2704-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/2704-5-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2704-7-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2704-9-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2704-10-0x0000000073EC0000-0x00000000745AE000-memory.dmpFilesize
6.9MB
-
memory/2704-11-0x0000000000250000-0x0000000000256000-memory.dmpFilesize
24KB
-
memory/2704-12-0x0000000004910000-0x0000000004950000-memory.dmpFilesize
256KB
-
memory/2704-13-0x0000000073EC0000-0x00000000745AE000-memory.dmpFilesize
6.9MB
-
memory/2704-14-0x0000000004910000-0x0000000004950000-memory.dmpFilesize
256KB