Analysis
-
max time kernel
293s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
03-11-2023 05:10
Static task
static1
Behavioral task
behavioral1
Sample
4jS459oE.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
4jS459oE.exe
Resource
win10-20231020-en
General
-
Target
4jS459oE.exe
-
Size
1.2MB
-
MD5
c7bdf9f271930e91de49fecd15c74608
-
SHA1
182e0da7fce4b75460d4a7035386aa072949d3ae
-
SHA256
24298788ef815c8db03ed863813543276cd790e69227761dfd14a01d9ac2e899
-
SHA512
b5a7108c4c28fc13c679b61b003a2bd26f3ac07a55e223c3939e1bd6a5aa47f6ab70abca1c64f41d0d478e13656115139543578f5a07639067f20dd5ef4aceba
-
SSDEEP
24576:XZ22dAiItf+BVHjcIoRj3csPwTSLcqDB:hItf+BVAIwPoTSLcqN
Malware Config
Extracted
redline
grome
77.91.124.86:19084
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4488-0-0x0000000000400000-0x000000000043E000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4jS459oE.exedescription pid process target process PID 2488 set thread context of 4488 2488 4jS459oE.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4796 2488 WerFault.exe 4jS459oE.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
4jS459oE.exedescription pid process target process PID 2488 wrote to memory of 2308 2488 4jS459oE.exe AppLaunch.exe PID 2488 wrote to memory of 2308 2488 4jS459oE.exe AppLaunch.exe PID 2488 wrote to memory of 2308 2488 4jS459oE.exe AppLaunch.exe PID 2488 wrote to memory of 4488 2488 4jS459oE.exe AppLaunch.exe PID 2488 wrote to memory of 4488 2488 4jS459oE.exe AppLaunch.exe PID 2488 wrote to memory of 4488 2488 4jS459oE.exe AppLaunch.exe PID 2488 wrote to memory of 4488 2488 4jS459oE.exe AppLaunch.exe PID 2488 wrote to memory of 4488 2488 4jS459oE.exe AppLaunch.exe PID 2488 wrote to memory of 4488 2488 4jS459oE.exe AppLaunch.exe PID 2488 wrote to memory of 4488 2488 4jS459oE.exe AppLaunch.exe PID 2488 wrote to memory of 4488 2488 4jS459oE.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4jS459oE.exe"C:\Users\Admin\AppData\Local\Temp\4jS459oE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 3202⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4488-0-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4488-4-0x0000000073590000-0x0000000073C7E000-memory.dmpFilesize
6.9MB
-
memory/4488-5-0x000000000B980000-0x000000000BE7E000-memory.dmpFilesize
5.0MB
-
memory/4488-6-0x000000000B480000-0x000000000B512000-memory.dmpFilesize
584KB
-
memory/4488-7-0x000000000B6A0000-0x000000000B6B0000-memory.dmpFilesize
64KB
-
memory/4488-8-0x000000000B5F0000-0x000000000B5FA000-memory.dmpFilesize
40KB
-
memory/4488-9-0x000000000C490000-0x000000000CA96000-memory.dmpFilesize
6.0MB
-
memory/4488-10-0x000000000BF90000-0x000000000C09A000-memory.dmpFilesize
1.0MB
-
memory/4488-11-0x000000000B820000-0x000000000B832000-memory.dmpFilesize
72KB
-
memory/4488-12-0x000000000B8C0000-0x000000000B8FE000-memory.dmpFilesize
248KB
-
memory/4488-13-0x000000000B900000-0x000000000B94B000-memory.dmpFilesize
300KB
-
memory/4488-18-0x0000000073590000-0x0000000073C7E000-memory.dmpFilesize
6.9MB
-
memory/4488-19-0x000000000B6A0000-0x000000000B6B0000-memory.dmpFilesize
64KB