Overview
overview
10Static
static
10R B X 1 2 5.rar
windows7-x64
5R B X 1 2 5.rar
windows10-2004-x64
3R B X 1 2 ...nt.exe
windows7-x64
1R B X 1 2 ...nt.exe
windows10-2004-x64
3R B X 1 2 ...or.exe
windows7-x64
7R B X 1 2 ...or.exe
windows10-2004-x64
10R B X 1 2 5/ai.cfg
windows7-x64
3R B X 1 2 5/ai.cfg
windows10-2004-x64
3R B X 1 2 ...rt.pem
windows7-x64
3R B X 1 2 ...rt.pem
windows10-2004-x64
3R B X 1 2 ...ig.vdf
windows7-x64
3R B X 1 2 ...ig.vdf
windows10-2004-x64
3Analysis
-
max time kernel
140s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 11:22
Behavioral task
behavioral1
Sample
R B X 1 2 5.rar
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
R B X 1 2 5.rar
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
R B X 1 2 5/Client.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
R B X 1 2 5/Client.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
R B X 1 2 5/Roblox Executor.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
R B X 1 2 5/Roblox Executor.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
R B X 1 2 5/ai.cfg
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
R B X 1 2 5/ai.cfg
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
R B X 1 2 5/cacert.pem
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
R B X 1 2 5/cacert.pem
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
R B X 1 2 5/config.vdf
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
R B X 1 2 5/config.vdf
Resource
win10v2004-20240802-en
General
-
Target
R B X 1 2 5/Roblox Executor.exe
-
Size
610KB
-
MD5
2744b07299dfa1999cff269ea72a2b80
-
SHA1
8f1527af2b2b9f0134d834ab959902ac99b9783f
-
SHA256
91791c26f8831977e9d0b64d25e4e699b6b4e8360377ce3bfec803c5683470ce
-
SHA512
724d7154965865a626b5369afff7d911198d9d9bef728cde2680a0f09565520b69044d21bf063bce5246b52bdad5c46636dd1c1b73a1e0183272a9c1f27be3ab
-
SSDEEP
12288:s/4LI3Kvjc6xh0J5P4bEPcL9XTWMsmNkBFV2KpkL9nI9rNtFamI3v6WZDtWdD+A5:4B3P6IR4bEPU
Malware Config
Extracted
redline
185.196.9.26:6302
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral6/memory/3260-8-0x0000000000410000-0x0000000000462000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Loads dropped DLL 1 IoCs
pid Process 936 Roblox Executor.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 936 set thread context of 3260 936 Roblox Executor.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Roblox Executor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3260 MSBuild.exe 3260 MSBuild.exe 3260 MSBuild.exe 3260 MSBuild.exe 3260 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3260 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 936 wrote to memory of 3260 936 Roblox Executor.exe 87 PID 936 wrote to memory of 3260 936 Roblox Executor.exe 87 PID 936 wrote to memory of 3260 936 Roblox Executor.exe 87 PID 936 wrote to memory of 3260 936 Roblox Executor.exe 87 PID 936 wrote to memory of 3260 936 Roblox Executor.exe 87 PID 936 wrote to memory of 3260 936 Roblox Executor.exe 87 PID 936 wrote to memory of 3260 936 Roblox Executor.exe 87 PID 936 wrote to memory of 3260 936 Roblox Executor.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\R B X 1 2 5\Roblox Executor.exe"C:\Users\Admin\AppData\Local\Temp\R B X 1 2 5\Roblox Executor.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
508KB
MD527e1b4e12893e15184853ab2a3fef0ea
SHA1394dcd236b89875581cbfa6d3317235f62fb629d
SHA256aeb9f95c5379963ca1d7fcf564fb83f3156aabe75c4569f5e5627012a902a7f2
SHA512a19b025bdad5972ed9225ca49e9e1dec14d68b0b52f86a22df410224cb4fdaa8fa65b084e465df1087bebcd4127b60dc2e6b3e4f05081fde5d59e7cb7c9b3e23