Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-03-2024 16:49
Behavioral task
behavioral1
Sample
Aurora_V2/Aurora.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Aurora_V2/Aurora.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
Aurora_V2/scripts/scripts.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Aurora_V2/scripts/scripts.dll
Resource
win10-20240221-en
General
-
Target
Aurora_V2/Aurora.exe
-
Size
620KB
-
MD5
403c733d425c072e88fc4a61595519dc
-
SHA1
ad25c881299ef6ac612ea36cdd40884caa479ba4
-
SHA256
96666cb323337b2fc5e3b87369639e637df2bb864a18422fd115c0f8f198b879
-
SHA512
1a30c2be85ec14cb644f3a81062a05b2759c09b6e29245a6856320f47865cd207b694feac6951e1d91c2350cfbe0bdbca2b302d02e92e3286de7bd2b9aafcf3e
-
SSDEEP
12288:vSIl566+QljEifBxARfzH5tCe7xChZZ8F39YaLFWlrSpKKIul5:Z5qUEi0RfzF7cH8waLQlaIul5
Malware Config
Extracted
redline
@dxrkl0rd
45.15.156.167:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2756-0-0x0000000000120000-0x0000000000170000-memory.dmp family_redline -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1852 2756 WerFault.exe Aurora.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Aurora.exedescription pid process target process PID 2756 wrote to memory of 1852 2756 Aurora.exe WerFault.exe PID 2756 wrote to memory of 1852 2756 Aurora.exe WerFault.exe PID 2756 wrote to memory of 1852 2756 Aurora.exe WerFault.exe PID 2756 wrote to memory of 1852 2756 Aurora.exe WerFault.exe