Analysis
-
max time kernel
126s -
max time network
132s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
05/11/2023, 12:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
404f2d2629f40e85a44f73a6e75ea8ead6d34b0a5e1eb3af4a9972985b517fac.exe
Resource
win10-20231020-en
7 signatures
150 seconds
General
-
Target
404f2d2629f40e85a44f73a6e75ea8ead6d34b0a5e1eb3af4a9972985b517fac.exe
-
Size
15.5MB
-
MD5
43dd43083bf57daf439d6aafc84bb1f2
-
SHA1
b71f215b2bda432d40c542b0ddf2a6d3920a236b
-
SHA256
404f2d2629f40e85a44f73a6e75ea8ead6d34b0a5e1eb3af4a9972985b517fac
-
SHA512
167c52bc7a590895a3565699a05e681af7e9e2be4af0fb777d03a5112bb425d08145a7955fd26922c2fdc3410e2af814351a5de01545724356cbe8f11afb7580
-
SSDEEP
98304:OcO2xKWhq+01YwnP31dTYoQ0dHc6bqJO:Off/0oQA86bp
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
YT&TEAM CLOUD
C2
194.169.175.235:42691
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/4608-5-0x0000000000610000-0x000000000064E000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2724 set thread context of 4608 2724 404f2d2629f40e85a44f73a6e75ea8ead6d34b0a5e1eb3af4a9972985b517fac.exe 71 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4608 jsc.exe 4608 jsc.exe 4608 jsc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4608 jsc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2724 wrote to memory of 4608 2724 404f2d2629f40e85a44f73a6e75ea8ead6d34b0a5e1eb3af4a9972985b517fac.exe 71 PID 2724 wrote to memory of 4608 2724 404f2d2629f40e85a44f73a6e75ea8ead6d34b0a5e1eb3af4a9972985b517fac.exe 71 PID 2724 wrote to memory of 4608 2724 404f2d2629f40e85a44f73a6e75ea8ead6d34b0a5e1eb3af4a9972985b517fac.exe 71 PID 2724 wrote to memory of 4608 2724 404f2d2629f40e85a44f73a6e75ea8ead6d34b0a5e1eb3af4a9972985b517fac.exe 71 PID 2724 wrote to memory of 4608 2724 404f2d2629f40e85a44f73a6e75ea8ead6d34b0a5e1eb3af4a9972985b517fac.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\404f2d2629f40e85a44f73a6e75ea8ead6d34b0a5e1eb3af4a9972985b517fac.exe"C:\Users\Admin\AppData\Local\Temp\404f2d2629f40e85a44f73a6e75ea8ead6d34b0a5e1eb3af4a9972985b517fac.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608
-