Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 12:20
Static task
static1
Behavioral task
behavioral1
Sample
443a2a80342e250493c764a1a2507766.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
443a2a80342e250493c764a1a2507766.exe
Resource
win10v2004-20230915-en
General
-
Target
443a2a80342e250493c764a1a2507766.exe
-
Size
397KB
-
MD5
443a2a80342e250493c764a1a2507766
-
SHA1
691bbb40c4cc19b99fcbb6e30e10989b010205fc
-
SHA256
36409da21c9c35416d4bf8c12e76042a7bcb09b8ab659545a33bd1d078e0dd86
-
SHA512
a0d7c59f337f2f9ce32e12fc4ee3cc4025687fd0545a9511ea2246783d3e9cc5b63ba8a384d34d44dca399345862d79e53f43f02ca0d9e22b286ef1a047bee94
-
SSDEEP
6144:Lr9wjzsPCbww17bmxUa3feAOoKfzomMvggLY2ro7ysr9OrkYyUi:Lr9WsPCbwwq2d7om7gNo7yQ9O4YyUi
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.38.95.107:42494
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4280 set thread context of 2116 4280 443a2a80342e250493c764a1a2507766.exe 84 -
Program crash 1 IoCs
pid pid_target Process procid_target 5036 4280 WerFault.exe 81 -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4280 wrote to memory of 2116 4280 443a2a80342e250493c764a1a2507766.exe 84 PID 4280 wrote to memory of 2116 4280 443a2a80342e250493c764a1a2507766.exe 84 PID 4280 wrote to memory of 2116 4280 443a2a80342e250493c764a1a2507766.exe 84 PID 4280 wrote to memory of 2116 4280 443a2a80342e250493c764a1a2507766.exe 84 PID 4280 wrote to memory of 2116 4280 443a2a80342e250493c764a1a2507766.exe 84 PID 4280 wrote to memory of 2116 4280 443a2a80342e250493c764a1a2507766.exe 84 PID 4280 wrote to memory of 2116 4280 443a2a80342e250493c764a1a2507766.exe 84 PID 4280 wrote to memory of 2116 4280 443a2a80342e250493c764a1a2507766.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\443a2a80342e250493c764a1a2507766.exe"C:\Users\Admin\AppData\Local\Temp\443a2a80342e250493c764a1a2507766.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 2882⤵
- Program crash
PID:5036
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4280 -ip 42801⤵PID:5048