Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 03:44
Behavioral task
behavioral1
Sample
53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe
Resource
win10v2004-20241007-en
General
-
Target
53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe
-
Size
203KB
-
MD5
f22739fd155f021421ffe74f053a4507
-
SHA1
84744009bf109831025c1ac0262749f23c3f29c6
-
SHA256
53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549
-
SHA512
7de9b4997fd205b135d042d6a65df7d4a008f10be41a75d55688c7dc4e14902186e9f88fc4a68d6ef60696b2c15b3a53c7d118de24f217c03e55de9f981cbe0e
-
SSDEEP
3072:Lma2Tw13jglOswfrLya3ApH+CNekWJnU0mPjd76ootSc/3smYMXrv:Ln2J1wfrLyaIeCNpWOPjd4BEdu
Malware Config
Extracted
redline
37.252.9.247:37711
-
auth_value
026e3efe08173cd9cc43c61448ed20f6
Signatures
-
Gurcu family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2768-9-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2768-13-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2768-11-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2768-7-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2768-6-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Redline family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2248 set thread context of 2768 2248 53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2768 2248 53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe 30 PID 2248 wrote to memory of 2768 2248 53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe 30 PID 2248 wrote to memory of 2768 2248 53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe 30 PID 2248 wrote to memory of 2768 2248 53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe 30 PID 2248 wrote to memory of 2768 2248 53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe 30 PID 2248 wrote to memory of 2768 2248 53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe 30 PID 2248 wrote to memory of 2768 2248 53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe 30 PID 2248 wrote to memory of 2768 2248 53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe 30 PID 2248 wrote to memory of 2768 2248 53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe 30 PID 2248 wrote to memory of 2768 2248 53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe 30 PID 2248 wrote to memory of 2768 2248 53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe 30 PID 2248 wrote to memory of 2768 2248 53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe"C:\Users\Admin\AppData\Local\Temp\53661074d0a6b4e280ebac14d61444984eb1513dd4a63e32d077d291f2167549.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
- System Location Discovery: System Language Discovery
PID:2768
-