Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-04-2024 01:30
Static task
static1
Behavioral task
behavioral1
Sample
804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe
Resource
win10v2004-20240226-en
General
-
Target
804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe
-
Size
469KB
-
MD5
7fe965830a88092157b8f558a6aa3c3c
-
SHA1
727a3f4efcd686b67224ab655f438b7878d1ee18
-
SHA256
804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340
-
SHA512
f31d76c1236db390975ba9b8ef5212b8b94275cc0e967894cb334d6e24d2e76afc7c3449d515173c732dcfb703b70c82aa0eeb88cbfa56de73bcda49213cc5f6
-
SSDEEP
6144:dZlB8LBngajQdG5uRWaV7P8psETjdTyK0Qh/wS+dDaUIVVPmKErwNfiQuZx5Wwpr:3lBm8euLP8KEXdu7amkDVbEMNubTpr
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-0-0x00000000000A0000-0x0000000000117000-memory.dmp family_redline -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2032 2208 WerFault.exe 804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exedescription pid process target process PID 2208 wrote to memory of 2032 2208 804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe WerFault.exe PID 2208 wrote to memory of 2032 2208 804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe WerFault.exe PID 2208 wrote to memory of 2032 2208 804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe WerFault.exe PID 2208 wrote to memory of 2032 2208 804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe"C:\Users\Admin\AppData\Local\Temp\804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1202⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2208-0-0x00000000000A0000-0x0000000000117000-memory.dmpFilesize
476KB