Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 06:47
Static task
static1
Behavioral task
behavioral1
Sample
464709f3215d06f6703eb4ecb607ae7a.exe
Resource
win7-20240611-en
General
-
Target
464709f3215d06f6703eb4ecb607ae7a.exe
-
Size
1.0MB
-
MD5
464709f3215d06f6703eb4ecb607ae7a
-
SHA1
1f438f2ab699f842cec119981ae5bf799df5d203
-
SHA256
a591d3d035cf90395ad1078a415a46b5b44dd813496291b702fe36cfb22dee36
-
SHA512
007b3d6c7da18c9d8b31991520d18fa2ee323cf8b4d8ea153d74cf93d5bfb38df79bc65a968cc6e07c996c451f0f1c8b2a0b9f0529a6b67ca148cc27adf1eda9
-
SSDEEP
24576:3AHnh+eWsN3skA4RV1Hom2KXMmHaeAfg3sujtg5:qh+ZkldoPK8YaeAfTYg
Malware Config
Extracted
redline
wordfile
185.38.142.10:7474
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1392-11-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1392-11-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
464709f3215d06f6703eb4ecb607ae7a.exedescription pid process target process PID 1496 set thread context of 1392 1496 464709f3215d06f6703eb4ecb607ae7a.exe RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
464709f3215d06f6703eb4ecb607ae7a.exepid process 1496 464709f3215d06f6703eb4ecb607ae7a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1392 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
464709f3215d06f6703eb4ecb607ae7a.exepid process 1496 464709f3215d06f6703eb4ecb607ae7a.exe 1496 464709f3215d06f6703eb4ecb607ae7a.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
464709f3215d06f6703eb4ecb607ae7a.exepid process 1496 464709f3215d06f6703eb4ecb607ae7a.exe 1496 464709f3215d06f6703eb4ecb607ae7a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
464709f3215d06f6703eb4ecb607ae7a.exedescription pid process target process PID 1496 wrote to memory of 1392 1496 464709f3215d06f6703eb4ecb607ae7a.exe RegSvcs.exe PID 1496 wrote to memory of 1392 1496 464709f3215d06f6703eb4ecb607ae7a.exe RegSvcs.exe PID 1496 wrote to memory of 1392 1496 464709f3215d06f6703eb4ecb607ae7a.exe RegSvcs.exe PID 1496 wrote to memory of 1392 1496 464709f3215d06f6703eb4ecb607ae7a.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\464709f3215d06f6703eb4ecb607ae7a.exe"C:\Users\Admin\AppData\Local\Temp\464709f3215d06f6703eb4ecb607ae7a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\464709f3215d06f6703eb4ecb607ae7a.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1392-11-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1392-12-0x0000000074B5E000-0x0000000074B5F000-memory.dmpFilesize
4KB
-
memory/1392-13-0x0000000005450000-0x0000000005A68000-memory.dmpFilesize
6.1MB
-
memory/1392-14-0x0000000004DD0000-0x0000000004DE2000-memory.dmpFilesize
72KB
-
memory/1392-15-0x0000000004E70000-0x0000000004EAC000-memory.dmpFilesize
240KB
-
memory/1392-16-0x0000000004EB0000-0x0000000004EFC000-memory.dmpFilesize
304KB
-
memory/1392-17-0x0000000074B50000-0x0000000075300000-memory.dmpFilesize
7.7MB
-
memory/1392-18-0x00000000050E0000-0x00000000051EA000-memory.dmpFilesize
1.0MB
-
memory/1392-19-0x0000000074B5E000-0x0000000074B5F000-memory.dmpFilesize
4KB
-
memory/1392-20-0x0000000074B50000-0x0000000075300000-memory.dmpFilesize
7.7MB
-
memory/1496-10-0x0000000001B50000-0x0000000001B54000-memory.dmpFilesize
16KB