Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07-07-2024 04:09
Static task
static1
Behavioral task
behavioral1
Sample
072be0734cd0581ff396918e854786fa2db17b086a06595e5b6418e80dc331de.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
072be0734cd0581ff396918e854786fa2db17b086a06595e5b6418e80dc331de.exe
Resource
win10v2004-20240704-en
General
-
Target
072be0734cd0581ff396918e854786fa2db17b086a06595e5b6418e80dc331de.exe
-
Size
2.3MB
-
MD5
1eb29fab9f8aa23ffd3de7cc20af03fd
-
SHA1
55240155e013abb7cf076d3b9629137bac6c23d0
-
SHA256
072be0734cd0581ff396918e854786fa2db17b086a06595e5b6418e80dc331de
-
SHA512
736178980a7cfe902a7a48613b7768cf1f4bebc610e72872162b103716ee460b3bb7019a6a1101cf2f7a1c407277d904892351d6fe3067d32cfd7d2baade0bd4
-
SSDEEP
12288:kEmnpQX49TUdEY/s0nCDXS58xHQpg92Yc8tYLJDJtqUQcMb:Ap
Malware Config
Extracted
redline
1612335857
https://t.me/+7Lir0e4Gw381MDhi*https://steamcommunity.com/profiles/76561199038841443
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/400-10-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Loads dropped DLL 1 IoCs
pid Process 60 072be0734cd0581ff396918e854786fa2db17b086a06595e5b6418e80dc331de.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 60 set thread context of 400 60 072be0734cd0581ff396918e854786fa2db17b086a06595e5b6418e80dc331de.exe 86 -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 400 MSBuild.exe 400 MSBuild.exe 400 MSBuild.exe 400 MSBuild.exe 400 MSBuild.exe 400 MSBuild.exe 400 MSBuild.exe 400 MSBuild.exe 400 MSBuild.exe 400 MSBuild.exe 400 MSBuild.exe 400 MSBuild.exe 400 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 400 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 60 wrote to memory of 400 60 072be0734cd0581ff396918e854786fa2db17b086a06595e5b6418e80dc331de.exe 86 PID 60 wrote to memory of 400 60 072be0734cd0581ff396918e854786fa2db17b086a06595e5b6418e80dc331de.exe 86 PID 60 wrote to memory of 400 60 072be0734cd0581ff396918e854786fa2db17b086a06595e5b6418e80dc331de.exe 86 PID 60 wrote to memory of 400 60 072be0734cd0581ff396918e854786fa2db17b086a06595e5b6418e80dc331de.exe 86 PID 60 wrote to memory of 400 60 072be0734cd0581ff396918e854786fa2db17b086a06595e5b6418e80dc331de.exe 86 PID 60 wrote to memory of 400 60 072be0734cd0581ff396918e854786fa2db17b086a06595e5b6418e80dc331de.exe 86 PID 60 wrote to memory of 400 60 072be0734cd0581ff396918e854786fa2db17b086a06595e5b6418e80dc331de.exe 86 PID 60 wrote to memory of 400 60 072be0734cd0581ff396918e854786fa2db17b086a06595e5b6418e80dc331de.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\072be0734cd0581ff396918e854786fa2db17b086a06595e5b6418e80dc331de.exe"C:\Users\Admin\AppData\Local\Temp\072be0734cd0581ff396918e854786fa2db17b086a06595e5b6418e80dc331de.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
234KB
MD591288f08d821065212b4d3961a089d61
SHA10856b3569a2142d8a9ba98e3d9f75d153f6a2730
SHA2568d858003c78bc10639fcad6334a7b4d63c9e746e442b4715c4575c8198bb73bf
SHA5123bff64d3abb69923f58113701ed8a6ad268d400357ef57440c6aae279147dd8291a34346586143106e32797829c6c946b56387475252134ba3eef883766f93e7