redline | d4e46ded5bca4a7086100e2296e9f434d357af08cc5153091834f0b6969133f6

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
06-08-2022 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D4E46DED5BCA4A7086100E2296E9F434D357AF08CC515.exe
Size

3.5MB
MD5

9ce5f14b8594d39723d696d393ed5cd5
SHA1

920a12bb0dce60d81d9b149a5d8fb8e7893ffd56
SHA256

d4e46ded5bca4a7086100e2296e9f434d357af08cc5153091834f0b6969133f6
SHA512

b0652648aa7b94764be0f27a4941680c6a7ba12b367713e2aac149be1ccd572ecaf1deca6d637e23f4995c04b636d240445f849bbc7bae7ffd6b3b441e7b1be6

Score

10^/10

redline 3 discovery infostealer vmprotect

Malware Config

Extracted

Family

redline

Botnet

95.217.188.140:33503

Attributes

auth_value
a34cc5e78c548506cf8a16e5ac230fff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1428-57-0x00000000024C0000-0x00000000024E4000-memory.dmp	family_redline
behavioral1/memory/1428-58-0x0000000002590000-0x00000000025B2000-memory.dmp	family_redline

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1428-54-0x0000000000400000-0x0000000000970000-memory.dmp	vmprotect

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

D4E46DED5BCA4A7086100E2296E9F434D357AF08CC515.exe

pid process

1428 D4E46DED5BCA4A7086100E2296E9F434D357AF08CC515.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

D4E46DED5BCA4A7086100E2296E9F434D357AF08CC515.exe

description pid process

Token: SeDebugPrivilege 1428 D4E46DED5BCA4A7086100E2296E9F434D357AF08CC515.exe

pid	process
1428	D4E46DED5BCA4A7086100E2296E9F434D357AF08CC515.exe

description	pid	process
Token: SeDebugPrivilege	1428	D4E46DED5BCA4A7086100E2296E9F434D357AF08CC515.exe

C:\Users\Admin\AppData\Local\Temp\D4E46DED5BCA4A7086100E2296E9F434D357AF08CC515.exe
"C:\Users\Admin\AppData\Local\Temp\D4E46DED5BCA4A7086100E2296E9F434D357AF08CC515.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1428-54-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/1428-57-0x00000000024C0000-0x00000000024E4000-memory.dmp

Filesize
144KB

Download
memory/1428-58-0x0000000002590000-0x00000000025B2000-memory.dmp

Filesize
136KB

Download
memory/1428-59-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download