Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07-07-2024 01:16
Static task
static1
Behavioral task
behavioral1
Sample
ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe
Resource
win10v2004-20240704-en
General
-
Target
ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe
-
Size
1.5MB
-
MD5
27a8a92f7b2d4ec7977165d5b6aac135
-
SHA1
0ca94d3c5e5fcb6ee0952ec2a9c2e98f5a27c700
-
SHA256
ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4
-
SHA512
da6ef0bd87e597efaa7791d25958039b0bb910532555c8d9c8d542fa38ffc302fbd156f06c0d72db9af647272d77032a65458dc804a220175d1d60a518e27a6f
-
SSDEEP
12288:akprWrfjIMvv+XHw2dOb25Z2TVPFGhWI/CIbYOE/IBikjUGuR:ErAXHw9trGs8CnOliAUh
Malware Config
Extracted
redline
VIP
173.195.100.68:1912
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4748-5-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4952 set thread context of 4748 4952 ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe 85 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4748 installutil.exe 4748 installutil.exe 4748 installutil.exe 4748 installutil.exe 4748 installutil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4952 ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe Token: SeDebugPrivilege 4748 installutil.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4952 wrote to memory of 4748 4952 ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe 85 PID 4952 wrote to memory of 4748 4952 ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe 85 PID 4952 wrote to memory of 4748 4952 ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe 85 PID 4952 wrote to memory of 4748 4952 ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe 85 PID 4952 wrote to memory of 4748 4952 ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe 85 PID 4952 wrote to memory of 4748 4952 ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe 85 PID 4952 wrote to memory of 4748 4952 ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe 85 PID 4952 wrote to memory of 4748 4952 ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe 85 PID 4952 wrote to memory of 3160 4952 ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe 86 PID 4952 wrote to memory of 3160 4952 ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe 86 PID 4952 wrote to memory of 3160 4952 ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe"C:\Users\Admin\AppData\Local\Temp\ba8b5e47d1d20028cd7ddb4ea828ebc9e8b7d4c67b332544b8cd253ad606e3c4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵PID:3160
-