Analysis
-
max time kernel
135s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 10:23
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20240611-en
General
-
Target
file.exe
-
Size
935KB
-
MD5
75a2d212a591a83a4d0c88a92b390b88
-
SHA1
8f69b79a0d6bc6b4def35b38ec46d15e6eb1c1d9
-
SHA256
cf47a943ec0eb86c16a8d7e6e0ad8c4bfb6063af089e1b3809ed44ac45347e71
-
SHA512
e7242ef4042f96743a6f999bee1a5ee93a88a6aa83385a28d2b868bd2c2f6734c0bc9192059e5a7862cff747a4dee8a16e9ac10cb659cbd2f05a4a040dd05a47
-
SSDEEP
24576:j+qodQCtw8QEZWBiMUp736I5Zqi7P2XZtXtW/Di:iw8QEZWBTXSZqiz2XvXQm
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
77.105.135.107:3445
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2324-1-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 4420 set thread context of 2324 4420 file.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1788 4420 WerFault.exe file.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegAsm.exepid process 2324 RegAsm.exe 2324 RegAsm.exe 2324 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2324 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
file.exedescription pid process target process PID 4420 wrote to memory of 2324 4420 file.exe RegAsm.exe PID 4420 wrote to memory of 2324 4420 file.exe RegAsm.exe PID 4420 wrote to memory of 2324 4420 file.exe RegAsm.exe PID 4420 wrote to memory of 2324 4420 file.exe RegAsm.exe PID 4420 wrote to memory of 2324 4420 file.exe RegAsm.exe PID 4420 wrote to memory of 2324 4420 file.exe RegAsm.exe PID 4420 wrote to memory of 2324 4420 file.exe RegAsm.exe PID 4420 wrote to memory of 2324 4420 file.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 2842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4420 -ip 44201⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2324-8-0x00000000054A0000-0x00000000055AA000-memory.dmpFilesize
1.0MB
-
memory/2324-4-0x0000000005180000-0x0000000005212000-memory.dmpFilesize
584KB
-
memory/2324-17-0x0000000074E30000-0x00000000755E0000-memory.dmpFilesize
7.7MB
-
memory/2324-3-0x0000000005690000-0x0000000005C34000-memory.dmpFilesize
5.6MB
-
memory/2324-9-0x00000000053C0000-0x00000000053D2000-memory.dmpFilesize
72KB
-
memory/2324-5-0x0000000005150000-0x000000000515A000-memory.dmpFilesize
40KB
-
memory/2324-6-0x0000000074E30000-0x00000000755E0000-memory.dmpFilesize
7.7MB
-
memory/2324-10-0x0000000005420000-0x000000000545C000-memory.dmpFilesize
240KB
-
memory/2324-2-0x0000000074E3E000-0x0000000074E3F000-memory.dmpFilesize
4KB
-
memory/2324-1-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2324-7-0x0000000006260000-0x0000000006878000-memory.dmpFilesize
6.1MB
-
memory/2324-11-0x00000000055B0000-0x00000000055FC000-memory.dmpFilesize
304KB
-
memory/2324-12-0x0000000005CD0000-0x0000000005D36000-memory.dmpFilesize
408KB
-
memory/2324-13-0x0000000006AD0000-0x0000000006B20000-memory.dmpFilesize
320KB
-
memory/2324-14-0x0000000008160000-0x0000000008322000-memory.dmpFilesize
1.8MB
-
memory/2324-15-0x0000000008860000-0x0000000008D8C000-memory.dmpFilesize
5.2MB
-
memory/4420-0-0x0000000000FA0000-0x0000000000FA1000-memory.dmpFilesize
4KB