Analysis
-
max time kernel
134s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2024, 06:14
Static task
static1
Behavioral task
behavioral1
Sample
5830307da699815f6d62a4a5d92dbd27.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5830307da699815f6d62a4a5d92dbd27.exe
Resource
win10v2004-20231222-en
General
-
Target
5830307da699815f6d62a4a5d92dbd27.exe
-
Size
181KB
-
MD5
5830307da699815f6d62a4a5d92dbd27
-
SHA1
1c721c9592ce6ea05242c8dba3417fefb05e5487
-
SHA256
e33dade92668e831e2e4ce734f1e8b7623ab1e019796bae59efb9e65f10e9ba4
-
SHA512
7b96820f87560c0c42c23376201bd9245e61ae66fa78db926dec9b0005e29294ce544fefce6cf8dcd121f49bc5361e94940b66b3899286f52212160599b241e5
-
SSDEEP
3072:rvujCNdWGvnXQemSSTQMHw3DTvatyl4WNO:r7vXQe9STQMHw3DOt1WN
Malware Config
Extracted
redline
178.250.156.64:14504
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/4400-0-0x00000000005D0000-0x00000000005EE000-memory.dmp family_redline behavioral2/memory/4928-4-0x00000000002A0000-0x00000000002D1000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
resource yara_rule behavioral2/memory/4400-0-0x00000000005D0000-0x00000000005EE000-memory.dmp family_sectoprat behavioral2/memory/4928-4-0x00000000002A0000-0x00000000002D1000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4928 set thread context of 4400 4928 5830307da699815f6d62a4a5d92dbd27.exe 104 -
Program crash 2 IoCs
pid pid_target Process procid_target 1980 4928 WerFault.exe 76 2400 4400 WerFault.exe 104 -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 4400 RegSvcs.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4928 wrote to memory of 4400 4928 5830307da699815f6d62a4a5d92dbd27.exe 104 PID 4928 wrote to memory of 4400 4928 5830307da699815f6d62a4a5d92dbd27.exe 104 PID 4928 wrote to memory of 4400 4928 5830307da699815f6d62a4a5d92dbd27.exe 104 PID 4928 wrote to memory of 4400 4928 5830307da699815f6d62a4a5d92dbd27.exe 104 PID 4928 wrote to memory of 4400 4928 5830307da699815f6d62a4a5d92dbd27.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5830307da699815f6d62a4a5d92dbd27.exe"C:\Users\Admin\AppData\Local\Temp\5830307da699815f6d62a4a5d92dbd27.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of UnmapMainImage
PID:4400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 123⤵
- Program crash
PID:2400
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 2682⤵
- Program crash
PID:1980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4928 -ip 49281⤵PID:1580
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4400 -ip 44001⤵PID:4720