Analysis
-
max time kernel
207s -
max time network
229s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2023 11:07
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.b91bff2793d218fb9a34d49bf7bcbed0.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.b91bff2793d218fb9a34d49bf7bcbed0.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.b91bff2793d218fb9a34d49bf7bcbed0.exe
-
Size
1.1MB
-
MD5
b91bff2793d218fb9a34d49bf7bcbed0
-
SHA1
00fada247acb0066b1b6b93cd7bf383deddc528b
-
SHA256
20818b31cf7934e86c9a353e27ba0e3ebd4f6d00986c0b8119e6fa30da41e4de
-
SHA512
0e03eebd8c42ca85ed4959e0d626b9e1d4f99218e0f8d110bf6ec0ce7cc4b07818742192044a91d68d40a31558ae43ff2773e283787d2e4379c3543195baebbb
-
SSDEEP
24576:Siu3GvJYfS8R+2oHZKO5bM4ZlhsOhsvAtffs:7YfS8RloH77lhsOhsvA
Malware Config
Extracted
redline
grome
77.91.124.86:19084
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2256-0-0x0000000000400000-0x000000000043E000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEAS.b91bff2793d218fb9a34d49bf7bcbed0.exedescription pid process target process PID 2752 set thread context of 2256 2752 NEAS.b91bff2793d218fb9a34d49bf7bcbed0.exe AppLaunch.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
NEAS.b91bff2793d218fb9a34d49bf7bcbed0.exedescription pid process target process PID 2752 wrote to memory of 2256 2752 NEAS.b91bff2793d218fb9a34d49bf7bcbed0.exe AppLaunch.exe PID 2752 wrote to memory of 2256 2752 NEAS.b91bff2793d218fb9a34d49bf7bcbed0.exe AppLaunch.exe PID 2752 wrote to memory of 2256 2752 NEAS.b91bff2793d218fb9a34d49bf7bcbed0.exe AppLaunch.exe PID 2752 wrote to memory of 2256 2752 NEAS.b91bff2793d218fb9a34d49bf7bcbed0.exe AppLaunch.exe PID 2752 wrote to memory of 2256 2752 NEAS.b91bff2793d218fb9a34d49bf7bcbed0.exe AppLaunch.exe PID 2752 wrote to memory of 2256 2752 NEAS.b91bff2793d218fb9a34d49bf7bcbed0.exe AppLaunch.exe PID 2752 wrote to memory of 2256 2752 NEAS.b91bff2793d218fb9a34d49bf7bcbed0.exe AppLaunch.exe PID 2752 wrote to memory of 2256 2752 NEAS.b91bff2793d218fb9a34d49bf7bcbed0.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b91bff2793d218fb9a34d49bf7bcbed0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b91bff2793d218fb9a34d49bf7bcbed0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2256-0-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2256-1-0x0000000075080000-0x0000000075830000-memory.dmpFilesize
7.7MB
-
memory/2256-2-0x0000000007A20000-0x0000000007FC4000-memory.dmpFilesize
5.6MB
-
memory/2256-3-0x0000000007530000-0x00000000075C2000-memory.dmpFilesize
584KB
-
memory/2256-4-0x0000000075080000-0x0000000075830000-memory.dmpFilesize
7.7MB
-
memory/2256-5-0x0000000007660000-0x0000000007670000-memory.dmpFilesize
64KB
-
memory/2256-6-0x00000000075F0000-0x00000000075FA000-memory.dmpFilesize
40KB
-
memory/2256-7-0x00000000085F0000-0x0000000008C08000-memory.dmpFilesize
6.1MB
-
memory/2256-8-0x0000000007FD0000-0x00000000080DA000-memory.dmpFilesize
1.0MB
-
memory/2256-9-0x00000000076D0000-0x00000000076E2000-memory.dmpFilesize
72KB
-
memory/2256-10-0x0000000007860000-0x000000000789C000-memory.dmpFilesize
240KB
-
memory/2256-11-0x00000000078A0000-0x00000000078EC000-memory.dmpFilesize
304KB
-
memory/2256-12-0x0000000007660000-0x0000000007670000-memory.dmpFilesize
64KB