Analysis
-
max time kernel
157s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2023 16:04
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.25e4e3112f0b65ae71bb8494373a0b20.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.25e4e3112f0b65ae71bb8494373a0b20.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.25e4e3112f0b65ae71bb8494373a0b20.exe
-
Size
1.1MB
-
MD5
25e4e3112f0b65ae71bb8494373a0b20
-
SHA1
67bc252c5fdcfe6c85eef76233b644e2fcaf86ba
-
SHA256
c33bcb84e76d128bdb882e1c19a41cf635c70021d79f760384dc079a50c7dab7
-
SHA512
14ddf42f7a78b1e53ba66d1860baf6d0d8ab6346abbe33f32600d6a75f90461ed80d329f1b6005fa95aea988665faf0ff3e5c0e56c4fdee8f32dace9a1730511
-
SSDEEP
24576:SFH3GvJYfS8Ru+onZKO5pyyFEXPJuN3l:ZYfS8RlonJyyFEXwN3l
Malware Config
Extracted
redline
grome
77.91.124.86:19084
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4540-0-0x0000000000400000-0x000000000043E000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEAS.25e4e3112f0b65ae71bb8494373a0b20.exedescription pid process target process PID 2008 set thread context of 4540 2008 NEAS.25e4e3112f0b65ae71bb8494373a0b20.exe AppLaunch.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
NEAS.25e4e3112f0b65ae71bb8494373a0b20.exedescription pid process target process PID 2008 wrote to memory of 4540 2008 NEAS.25e4e3112f0b65ae71bb8494373a0b20.exe AppLaunch.exe PID 2008 wrote to memory of 4540 2008 NEAS.25e4e3112f0b65ae71bb8494373a0b20.exe AppLaunch.exe PID 2008 wrote to memory of 4540 2008 NEAS.25e4e3112f0b65ae71bb8494373a0b20.exe AppLaunch.exe PID 2008 wrote to memory of 4540 2008 NEAS.25e4e3112f0b65ae71bb8494373a0b20.exe AppLaunch.exe PID 2008 wrote to memory of 4540 2008 NEAS.25e4e3112f0b65ae71bb8494373a0b20.exe AppLaunch.exe PID 2008 wrote to memory of 4540 2008 NEAS.25e4e3112f0b65ae71bb8494373a0b20.exe AppLaunch.exe PID 2008 wrote to memory of 4540 2008 NEAS.25e4e3112f0b65ae71bb8494373a0b20.exe AppLaunch.exe PID 2008 wrote to memory of 4540 2008 NEAS.25e4e3112f0b65ae71bb8494373a0b20.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.25e4e3112f0b65ae71bb8494373a0b20.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.25e4e3112f0b65ae71bb8494373a0b20.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4540-0-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4540-1-0x0000000074310000-0x0000000074AC0000-memory.dmpFilesize
7.7MB
-
memory/4540-2-0x0000000007B20000-0x00000000080C4000-memory.dmpFilesize
5.6MB
-
memory/4540-3-0x0000000007650000-0x00000000076E2000-memory.dmpFilesize
584KB
-
memory/4540-4-0x0000000007600000-0x0000000007610000-memory.dmpFilesize
64KB
-
memory/4540-5-0x0000000007640000-0x000000000764A000-memory.dmpFilesize
40KB
-
memory/4540-6-0x00000000086F0000-0x0000000008D08000-memory.dmpFilesize
6.1MB
-
memory/4540-7-0x00000000079A0000-0x0000000007AAA000-memory.dmpFilesize
1.0MB
-
memory/4540-8-0x00000000078B0000-0x00000000078C2000-memory.dmpFilesize
72KB
-
memory/4540-9-0x0000000007910000-0x000000000794C000-memory.dmpFilesize
240KB
-
memory/4540-10-0x0000000007950000-0x000000000799C000-memory.dmpFilesize
304KB
-
memory/4540-11-0x0000000074310000-0x0000000074AC0000-memory.dmpFilesize
7.7MB
-
memory/4540-12-0x0000000007600000-0x0000000007610000-memory.dmpFilesize
64KB