Analysis
-
max time kernel
90s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 03:07
Static task
static1
Behavioral task
behavioral1
Sample
9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe
Resource
win7-20231129-en
General
-
Target
9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe
-
Size
492KB
-
MD5
c32028c1d21ffb0f950fd89633908c06
-
SHA1
c3f8c7d7e684ecf88014deba0d2faec05c11830d
-
SHA256
9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea
-
SHA512
3fced92d5a29d6129c043d9f19efbc98dff246984217d904aa4c6fbecad40384325831a428f00c4db0037959003d6d9d15625dfa6c27edc0e80e949d0c2b228c
-
SSDEEP
12288:sBGtU4PI3MHnOqY3xa4RufYXx7so6swy7Ko8:sIvPq1v6swy7B
Malware Config
Extracted
redline
@oleh_psp
185.172.128.33:8970
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/536-1-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exedescription pid process target process PID 3296 set thread context of 536 3296 9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2020 3296 WerFault.exe 9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
RegAsm.exepid process 536 RegAsm.exe 536 RegAsm.exe 536 RegAsm.exe 536 RegAsm.exe 536 RegAsm.exe 536 RegAsm.exe 536 RegAsm.exe 536 RegAsm.exe 536 RegAsm.exe 536 RegAsm.exe 536 RegAsm.exe 536 RegAsm.exe 536 RegAsm.exe 536 RegAsm.exe 536 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 536 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exedescription pid process target process PID 3296 wrote to memory of 5112 3296 9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe RegAsm.exe PID 3296 wrote to memory of 5112 3296 9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe RegAsm.exe PID 3296 wrote to memory of 5112 3296 9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe RegAsm.exe PID 3296 wrote to memory of 536 3296 9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe RegAsm.exe PID 3296 wrote to memory of 536 3296 9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe RegAsm.exe PID 3296 wrote to memory of 536 3296 9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe RegAsm.exe PID 3296 wrote to memory of 536 3296 9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe RegAsm.exe PID 3296 wrote to memory of 536 3296 9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe RegAsm.exe PID 3296 wrote to memory of 536 3296 9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe RegAsm.exe PID 3296 wrote to memory of 536 3296 9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe RegAsm.exe PID 3296 wrote to memory of 536 3296 9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe"C:\Users\Admin\AppData\Local\Temp\9570506aa6a69053f2d07f64a7e506190e999e55a431501dec05fef12de3e4ea.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 2802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3296 -ip 32961⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/536-8-0x00000000056F0000-0x00000000057FA000-memory.dmpFilesize
1.0MB
-
memory/536-4-0x0000000005370000-0x0000000005402000-memory.dmpFilesize
584KB
-
memory/536-17-0x0000000074CC0000-0x0000000075470000-memory.dmpFilesize
7.7MB
-
memory/536-3-0x0000000005880000-0x0000000005E24000-memory.dmpFilesize
5.6MB
-
memory/536-9-0x00000000055E0000-0x00000000055F2000-memory.dmpFilesize
72KB
-
memory/536-5-0x0000000005360000-0x000000000536A000-memory.dmpFilesize
40KB
-
memory/536-6-0x0000000074CC0000-0x0000000075470000-memory.dmpFilesize
7.7MB
-
memory/536-10-0x0000000005640000-0x000000000567C000-memory.dmpFilesize
240KB
-
memory/536-2-0x0000000074CCE000-0x0000000074CCF000-memory.dmpFilesize
4KB
-
memory/536-1-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/536-7-0x0000000006450000-0x0000000006A68000-memory.dmpFilesize
6.1MB
-
memory/536-11-0x0000000005690000-0x00000000056DC000-memory.dmpFilesize
304KB
-
memory/536-12-0x0000000005EF0000-0x0000000005F56000-memory.dmpFilesize
408KB
-
memory/536-13-0x0000000006F90000-0x0000000007152000-memory.dmpFilesize
1.8MB
-
memory/536-14-0x0000000007690000-0x0000000007BBC000-memory.dmpFilesize
5.2MB
-
memory/536-15-0x0000000007360000-0x00000000073B0000-memory.dmpFilesize
320KB
-
memory/3296-0-0x0000000001370000-0x0000000001371000-memory.dmpFilesize
4KB