Analysis
-
max time kernel
135s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12-10-2023 12:20
Static task
static1
Behavioral task
behavioral1
Sample
443a2a80342e250493c764a1a2507766.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
443a2a80342e250493c764a1a2507766.exe
Resource
win10v2004-20230915-en
General
-
Target
443a2a80342e250493c764a1a2507766.exe
-
Size
397KB
-
MD5
443a2a80342e250493c764a1a2507766
-
SHA1
691bbb40c4cc19b99fcbb6e30e10989b010205fc
-
SHA256
36409da21c9c35416d4bf8c12e76042a7bcb09b8ab659545a33bd1d078e0dd86
-
SHA512
a0d7c59f337f2f9ce32e12fc4ee3cc4025687fd0545a9511ea2246783d3e9cc5b63ba8a384d34d44dca399345862d79e53f43f02ca0d9e22b286ef1a047bee94
-
SSDEEP
6144:Lr9wjzsPCbww17bmxUa3feAOoKfzomMvggLY2ro7ysr9OrkYyUi:Lr9WsPCbwwq2d7om7gNo7yQ9O4YyUi
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.38.95.107:42494
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2196 set thread context of 2384 2196 443a2a80342e250493c764a1a2507766.exe 29 -
Program crash 1 IoCs
pid pid_target Process procid_target 2632 2196 WerFault.exe 21 -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2384 2196 443a2a80342e250493c764a1a2507766.exe 29 PID 2196 wrote to memory of 2384 2196 443a2a80342e250493c764a1a2507766.exe 29 PID 2196 wrote to memory of 2384 2196 443a2a80342e250493c764a1a2507766.exe 29 PID 2196 wrote to memory of 2384 2196 443a2a80342e250493c764a1a2507766.exe 29 PID 2196 wrote to memory of 2384 2196 443a2a80342e250493c764a1a2507766.exe 29 PID 2196 wrote to memory of 2384 2196 443a2a80342e250493c764a1a2507766.exe 29 PID 2196 wrote to memory of 2384 2196 443a2a80342e250493c764a1a2507766.exe 29 PID 2196 wrote to memory of 2384 2196 443a2a80342e250493c764a1a2507766.exe 29 PID 2196 wrote to memory of 2384 2196 443a2a80342e250493c764a1a2507766.exe 29 PID 2196 wrote to memory of 2384 2196 443a2a80342e250493c764a1a2507766.exe 29 PID 2196 wrote to memory of 2384 2196 443a2a80342e250493c764a1a2507766.exe 29 PID 2196 wrote to memory of 2384 2196 443a2a80342e250493c764a1a2507766.exe 29 PID 2196 wrote to memory of 2632 2196 443a2a80342e250493c764a1a2507766.exe 30 PID 2196 wrote to memory of 2632 2196 443a2a80342e250493c764a1a2507766.exe 30 PID 2196 wrote to memory of 2632 2196 443a2a80342e250493c764a1a2507766.exe 30 PID 2196 wrote to memory of 2632 2196 443a2a80342e250493c764a1a2507766.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\443a2a80342e250493c764a1a2507766.exe"C:\Users\Admin\AppData\Local\Temp\443a2a80342e250493c764a1a2507766.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2384
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 922⤵
- Program crash
PID:2632
-