Analysis
-
max time kernel
36s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-06-2022 12:09
Static task
static1
Behavioral task
behavioral1
Sample
Installer.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Installer.exe
Resource
win10v2004-20220414-en
General
-
Target
Installer.exe
-
Size
586.3MB
-
MD5
56cae4e535bb14d5b699a1f3b3a372f0
-
SHA1
8e085dc03bc975c10ebe2076962c17f8bd369e98
-
SHA256
f919ca0a5c6bff30ebed640b411b8a1a73350497fdd6087e1a24f7d9648724bf
-
SHA512
37e9233427fd3c990d637e406c58430319d6c6d10798ebdff25e81dccca32e5620e6dca44937adea7263888562e02c2488f04e2578e4b70bdf08a4b8053ba6fd
Malware Config
Extracted
redline
777
89.22.227.140:31288
-
auth_value
e42115cf07e73321acdde5e388b0aef9
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/844-59-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline behavioral1/memory/844-60-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline behavioral1/memory/844-62-0x000000000041AD7A-mapping.dmp family_redline behavioral1/memory/844-64-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline behavioral1/memory/844-63-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline behavioral1/memory/844-68-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline behavioral1/memory/844-71-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Installer.exedescription pid process target process PID 1540 set thread context of 844 1540 Installer.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 844 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Installer.exevbc.exedescription pid process Token: SeDebugPrivilege 1540 Installer.exe Token: SeDebugPrivilege 844 vbc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Installer.exedescription pid process target process PID 1540 wrote to memory of 844 1540 Installer.exe vbc.exe PID 1540 wrote to memory of 844 1540 Installer.exe vbc.exe PID 1540 wrote to memory of 844 1540 Installer.exe vbc.exe PID 1540 wrote to memory of 844 1540 Installer.exe vbc.exe PID 1540 wrote to memory of 844 1540 Installer.exe vbc.exe PID 1540 wrote to memory of 844 1540 Installer.exe vbc.exe PID 1540 wrote to memory of 844 1540 Installer.exe vbc.exe PID 1540 wrote to memory of 844 1540 Installer.exe vbc.exe PID 1540 wrote to memory of 844 1540 Installer.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/844-56-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/844-57-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/844-59-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/844-60-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/844-62-0x000000000041AD7A-mapping.dmp
-
memory/844-64-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/844-63-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/844-68-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/844-71-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/1540-54-0x0000000000F30000-0x0000000000F90000-memory.dmpFilesize
384KB
-
memory/1540-55-0x00000000768D1000-0x00000000768D3000-memory.dmpFilesize
8KB