Analysis

  • max time kernel
    13s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 19:13

General

  • Target

    3153ef78e8e9bd27035dfbd657054ff5ededc81194a326325ab0f99cf2b660a4.exe

  • Size

    918KB

  • MD5

    0611d3fb4eff62b6cace176c4ff8ce7c

  • SHA1

    db19f0f7a0bcd239eb21a57e8ce35e931c17fbed

  • SHA256

    3153ef78e8e9bd27035dfbd657054ff5ededc81194a326325ab0f99cf2b660a4

  • SHA512

    d54f261b97e40c59f499e504048f066435b055ec19c468a37c45e9fd230d76a5399bd1d2cb3892b25d09f5fa3a9a959b47d1b85c542f61e700025bf26b349423

  • SSDEEP

    24576:dj/Jnz1GJ3mMB5CGOGwso7h+u3bULc/E3N4L/qztN942j4Oi4fb0QMrGRBgKYcc+:d9n5GJlirku3bULc/E3N4L/qztN942jd

Malware Config

Extracted

Family

redline

Botnet

TORRENTOLD

C2

amrican-sport-live-stream.cc:4581

Attributes
  • auth_value

    74e1b58bf920611f04c0e3919954fe05

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 5 IoCs
  • Redline family
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3153ef78e8e9bd27035dfbd657054ff5ededc81194a326325ab0f99cf2b660a4.exe
    "C:\Users\Admin\AppData\Local\Temp\3153ef78e8e9bd27035dfbd657054ff5ededc81194a326325ab0f99cf2b660a4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 616
        3⤵
        • Program crash
        PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2076-19-0x00000000744E0000-0x0000000074BCE000-memory.dmp

    Filesize

    6.9MB

  • memory/2076-1-0x0000000000310000-0x00000000003FC000-memory.dmp

    Filesize

    944KB

  • memory/2076-2-0x00000000744E0000-0x0000000074BCE000-memory.dmp

    Filesize

    6.9MB

  • memory/2076-3-0x00000000050D0000-0x00000000051BA000-memory.dmp

    Filesize

    936KB

  • memory/2076-4-0x0000000000600000-0x0000000000616000-memory.dmp

    Filesize

    88KB

  • memory/2076-5-0x0000000004820000-0x00000000048B2000-memory.dmp

    Filesize

    584KB

  • memory/2076-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

    Filesize

    4KB

  • memory/3000-6-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/3000-18-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/3000-16-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/3000-14-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/3000-11-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/3000-10-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/3000-8-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/3000-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB