Analysis
-
max time kernel
153s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 22:58
Static task
static1
Behavioral task
behavioral1
Sample
1f2f4b97cf33e38fd3673f203e663ae0.exe
Resource
win7-20231215-en
General
-
Target
1f2f4b97cf33e38fd3673f203e663ae0.exe
-
Size
125KB
-
MD5
1f2f4b97cf33e38fd3673f203e663ae0
-
SHA1
691bce10f015d6b6c41656a2e6a249fde5dcc9a7
-
SHA256
69121cc59905d374c6a35a13940e855a9c68344a740471d7769e845a8ca0efc8
-
SHA512
aa29dbcd36effe15d19bd06425fbe3044dc2727fe02977b6a3437cf6b6d54cd6c7416f1434d0875a2e5d7b66d9e4a12a72d6c50a652f1869863e87c0c04f0275
-
SSDEEP
3072:ieYUmYrpIvqp+Wur9ftKLkvmt4XtgQ0Y+jneqW:iemYVEqp+WOf64XtgQ0YEnfW
Malware Config
Extracted
redline
mix
135.181.175.182:10628
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2952-2-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2952-2-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1f2f4b97cf33e38fd3673f203e663ae0.exedescription pid process target process PID 2012 set thread context of 2952 2012 1f2f4b97cf33e38fd3673f203e663ae0.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1192 2012 WerFault.exe 1f2f4b97cf33e38fd3673f203e663ae0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2952 RegSvcs.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
1f2f4b97cf33e38fd3673f203e663ae0.exedescription pid process target process PID 2012 wrote to memory of 2952 2012 1f2f4b97cf33e38fd3673f203e663ae0.exe RegSvcs.exe PID 2012 wrote to memory of 2952 2012 1f2f4b97cf33e38fd3673f203e663ae0.exe RegSvcs.exe PID 2012 wrote to memory of 2952 2012 1f2f4b97cf33e38fd3673f203e663ae0.exe RegSvcs.exe PID 2012 wrote to memory of 2952 2012 1f2f4b97cf33e38fd3673f203e663ae0.exe RegSvcs.exe PID 2012 wrote to memory of 2952 2012 1f2f4b97cf33e38fd3673f203e663ae0.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f2f4b97cf33e38fd3673f203e663ae0.exe"C:\Users\Admin\AppData\Local\Temp\1f2f4b97cf33e38fd3673f203e663ae0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 2922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2012 -ip 20121⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2012-1-0x0000000000E20000-0x0000000000F20000-memory.dmpFilesize
1024KB
-
memory/2952-2-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2952-7-0x0000000074DD0000-0x0000000075580000-memory.dmpFilesize
7.7MB
-
memory/2952-8-0x0000000005A30000-0x0000000006048000-memory.dmpFilesize
6.1MB
-
memory/2952-9-0x0000000002F70000-0x0000000002F82000-memory.dmpFilesize
72KB
-
memory/2952-10-0x0000000005450000-0x000000000548C000-memory.dmpFilesize
240KB
-
memory/2952-11-0x00000000054E0000-0x00000000054F0000-memory.dmpFilesize
64KB
-
memory/2952-12-0x0000000005490000-0x00000000054DC000-memory.dmpFilesize
304KB
-
memory/2952-13-0x0000000074DD0000-0x0000000075580000-memory.dmpFilesize
7.7MB
-
memory/2952-14-0x00000000056D0000-0x00000000057DA000-memory.dmpFilesize
1.0MB
-
memory/2952-15-0x00000000054E0000-0x00000000054F0000-memory.dmpFilesize
64KB