Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 01:46
Behavioral task
behavioral1
Sample
471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe
Resource
win10v2004-20240426-en
General
-
Target
471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe
-
Size
141KB
-
MD5
b9f762b1e51df7b8df10fb4bec204754
-
SHA1
5fa0988eb0fec59db77e625568fe57fdedd840cc
-
SHA256
471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c
-
SHA512
d18e243be62963465ef2da1857fca1422bf89e8925d1ead98b8ad3aa0c182083474c209091f292f20f39a0c6603f65c5e91c502d54452c11d54f13f3b45b4a70
-
SSDEEP
3072:5K1JZOpTvVQZ+rcIeRYs6YmszJqoD2z7BpGGoMTb3R35dINX9r5Px8:IOpu0rjeRbVJqoD+1pGGoMTb3RDINN
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2436-1-0x0000000000300000-0x000000000032A000-memory.dmp family_redline -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2488 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2488 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.execmd.exedescription pid process target process PID 2436 wrote to memory of 2200 2436 471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe cmd.exe PID 2436 wrote to memory of 2200 2436 471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe cmd.exe PID 2436 wrote to memory of 2200 2436 471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe cmd.exe PID 2436 wrote to memory of 2200 2436 471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe cmd.exe PID 2200 wrote to memory of 2488 2200 cmd.exe taskkill.exe PID 2200 wrote to memory of 2488 2200 cmd.exe taskkill.exe PID 2200 wrote to memory of 2488 2200 cmd.exe taskkill.exe PID 2200 wrote to memory of 2488 2200 cmd.exe taskkill.exe PID 2200 wrote to memory of 2732 2200 cmd.exe choice.exe PID 2200 wrote to memory of 2732 2200 cmd.exe choice.exe PID 2200 wrote to memory of 2732 2200 cmd.exe choice.exe PID 2200 wrote to memory of 2732 2200 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe"C:\Users\Admin\AppData\Local\Temp\471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 2436 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 24363⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2436-0-0x000000007456E000-0x000000007456F000-memory.dmpFilesize
4KB
-
memory/2436-1-0x0000000000300000-0x000000000032A000-memory.dmpFilesize
168KB
-
memory/2436-2-0x0000000074560000-0x0000000074C4E000-memory.dmpFilesize
6.9MB
-
memory/2436-3-0x0000000074560000-0x0000000074C4E000-memory.dmpFilesize
6.9MB