Analysis
-
max time kernel
294s -
max time network
306s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
10-10-2023 05:02
Static task
static1
Behavioral task
behavioral1
Sample
4oE045Hr.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
4oE045Hr.exe
Resource
win10-20230915-en
General
-
Target
4oE045Hr.exe
-
Size
459KB
-
MD5
0f9bf0eeeae62f42f1e7f735706d1a14
-
SHA1
efd2514c4d6c7e6ce1f39008fafe3bcb8b12408e
-
SHA256
f1626105054686b8af41da05be026b6c8bfb9b9dc052e7c32b79193472f1ceba
-
SHA512
8aafdb85d2a4ca093ab4e0de6601f2a00e04413079b58fb5e0ab710fb3edb1d54796c3b30c6502f626e326c46d322616c7ba195385f4e2ee3158f9dcf361da27
-
SSDEEP
6144:IfThnbDPM4jjdpvIN8fp7z5BAOgfFHN6DEvQiCD8S40X:IfTVDPjjb/+fpNs3dRNX
Malware Config
Extracted
redline
frant
77.91.124.55:19071
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4552-0-0x0000000000400000-0x000000000043E000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4oE045Hr.exedescription pid process target process PID 2940 set thread context of 4552 2940 4oE045Hr.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2608 2940 WerFault.exe 4oE045Hr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4oE045Hr.exedescription pid process target process PID 2940 wrote to memory of 4552 2940 4oE045Hr.exe AppLaunch.exe PID 2940 wrote to memory of 4552 2940 4oE045Hr.exe AppLaunch.exe PID 2940 wrote to memory of 4552 2940 4oE045Hr.exe AppLaunch.exe PID 2940 wrote to memory of 4552 2940 4oE045Hr.exe AppLaunch.exe PID 2940 wrote to memory of 4552 2940 4oE045Hr.exe AppLaunch.exe PID 2940 wrote to memory of 4552 2940 4oE045Hr.exe AppLaunch.exe PID 2940 wrote to memory of 4552 2940 4oE045Hr.exe AppLaunch.exe PID 2940 wrote to memory of 4552 2940 4oE045Hr.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4oE045Hr.exe"C:\Users\Admin\AppData\Local\Temp\4oE045Hr.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 3522⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4552-0-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4552-4-0x0000000073E60000-0x000000007454E000-memory.dmpFilesize
6.9MB
-
memory/4552-5-0x000000000B940000-0x000000000BE3E000-memory.dmpFilesize
5.0MB
-
memory/4552-6-0x000000000B520000-0x000000000B5B2000-memory.dmpFilesize
584KB
-
memory/4552-7-0x000000000B690000-0x000000000B6A0000-memory.dmpFilesize
64KB
-
memory/4552-8-0x000000000B500000-0x000000000B50A000-memory.dmpFilesize
40KB
-
memory/4552-9-0x000000000C450000-0x000000000CA56000-memory.dmpFilesize
6.0MB
-
memory/4552-10-0x000000000BF50000-0x000000000C05A000-memory.dmpFilesize
1.0MB
-
memory/4552-11-0x000000000B890000-0x000000000B8A2000-memory.dmpFilesize
72KB
-
memory/4552-12-0x000000000B8F0000-0x000000000B92E000-memory.dmpFilesize
248KB
-
memory/4552-13-0x000000000BE40000-0x000000000BE8B000-memory.dmpFilesize
300KB
-
memory/4552-18-0x0000000073E60000-0x000000007454E000-memory.dmpFilesize
6.9MB
-
memory/4552-19-0x000000000B690000-0x000000000B6A0000-memory.dmpFilesize
64KB