Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 11:30
Behavioral task
behavioral1
Sample
R B X 1 2 5/Roblox Executor.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
R B X 1 2 5/Roblox Executor.exe
Resource
win10v2004-20240802-en
General
-
Target
R B X 1 2 5/Roblox Executor.exe
-
Size
610KB
-
MD5
2744b07299dfa1999cff269ea72a2b80
-
SHA1
8f1527af2b2b9f0134d834ab959902ac99b9783f
-
SHA256
91791c26f8831977e9d0b64d25e4e699b6b4e8360377ce3bfec803c5683470ce
-
SHA512
724d7154965865a626b5369afff7d911198d9d9bef728cde2680a0f09565520b69044d21bf063bce5246b52bdad5c46636dd1c1b73a1e0183272a9c1f27be3ab
-
SSDEEP
12288:s/4LI3Kvjc6xh0J5P4bEPcL9XTWMsmNkBFV2KpkL9nI9rNtFamI3v6WZDtWdD+A5:4B3P6IR4bEPU
Malware Config
Extracted
redline
185.196.9.26:6302
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/1712-8-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Loads dropped DLL 1 IoCs
pid Process 208 Roblox Executor.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 208 set thread context of 1712 208 Roblox Executor.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Roblox Executor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1712 MSBuild.exe 1712 MSBuild.exe 1712 MSBuild.exe 1712 MSBuild.exe 1712 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1712 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 208 wrote to memory of 1712 208 Roblox Executor.exe 87 PID 208 wrote to memory of 1712 208 Roblox Executor.exe 87 PID 208 wrote to memory of 1712 208 Roblox Executor.exe 87 PID 208 wrote to memory of 1712 208 Roblox Executor.exe 87 PID 208 wrote to memory of 1712 208 Roblox Executor.exe 87 PID 208 wrote to memory of 1712 208 Roblox Executor.exe 87 PID 208 wrote to memory of 1712 208 Roblox Executor.exe 87 PID 208 wrote to memory of 1712 208 Roblox Executor.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\R B X 1 2 5\Roblox Executor.exe"C:\Users\Admin\AppData\Local\Temp\R B X 1 2 5\Roblox Executor.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
508KB
MD527e1b4e12893e15184853ab2a3fef0ea
SHA1394dcd236b89875581cbfa6d3317235f62fb629d
SHA256aeb9f95c5379963ca1d7fcf564fb83f3156aabe75c4569f5e5627012a902a7f2
SHA512a19b025bdad5972ed9225ca49e9e1dec14d68b0b52f86a22df410224cb4fdaa8fa65b084e465df1087bebcd4127b60dc2e6b3e4f05081fde5d59e7cb7c9b3e23