Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-09-2022 12:31
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
434KB
-
MD5
a02c32933a9afef8c2c3f624d8e0a50c
-
SHA1
0e91dc7fe61aaab801c8492fcbaf623090c31ab8
-
SHA256
7110b169b91367725a879b62e6a678126757daf30a942e55ad6b8fee54a446db
-
SHA512
e3f7ba98fbb8bc2042b957a432bdda3159bcfee8779c60e297a5d650e6b005ebe3f645140d9c2beef5dd1dbecfad47c0c2bb2c97a2ee80b56a7e4e0b485a2696
-
SSDEEP
6144:NlRF9a28qZ/8zBuMEaBChkJGRwfqUKDPp5xI/nG7:1fP8Y88MEawk/nI
Malware Config
Extracted
redline
nam6.1
103.89.90.61:34589
-
auth_value
5a3c8b8880f6d03e2acaaa0ba12776e3
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3116-136-0x0000000000360000-0x0000000000380000-memory.dmp family_redline -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 4776 set thread context of 3116 4776 file.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 3116 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 3116 vbc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
file.exedescription pid process target process PID 4776 wrote to memory of 3116 4776 file.exe vbc.exe PID 4776 wrote to memory of 3116 4776 file.exe vbc.exe PID 4776 wrote to memory of 3116 4776 file.exe vbc.exe PID 4776 wrote to memory of 3116 4776 file.exe vbc.exe PID 4776 wrote to memory of 3116 4776 file.exe vbc.exe PID 4776 wrote to memory of 3116 4776 file.exe vbc.exe PID 4776 wrote to memory of 3116 4776 file.exe vbc.exe PID 4776 wrote to memory of 3116 4776 file.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3116-139-0x0000000007520000-0x000000000762A000-memory.dmpFilesize
1.0MB
-
memory/3116-141-0x0000000005360000-0x00000000053D6000-memory.dmpFilesize
472KB
-
memory/3116-134-0x0000000000000000-mapping.dmp
-
memory/3116-136-0x0000000000360000-0x0000000000380000-memory.dmpFilesize
128KB
-
memory/3116-137-0x0000000005B70000-0x0000000006188000-memory.dmpFilesize
6.1MB
-
memory/3116-138-0x00000000073F0000-0x0000000007402000-memory.dmpFilesize
72KB
-
memory/3116-147-0x0000000007C00000-0x0000000007C50000-memory.dmpFilesize
320KB
-
memory/3116-140-0x0000000007460000-0x000000000749C000-memory.dmpFilesize
240KB
-
memory/3116-146-0x0000000008970000-0x0000000008E9C000-memory.dmpFilesize
5.2MB
-
memory/3116-142-0x0000000005480000-0x0000000005512000-memory.dmpFilesize
584KB
-
memory/3116-143-0x0000000007CC0000-0x0000000008264000-memory.dmpFilesize
5.6MB
-
memory/3116-144-0x0000000005460000-0x000000000547E000-memory.dmpFilesize
120KB
-
memory/3116-145-0x0000000008270000-0x0000000008432000-memory.dmpFilesize
1.8MB
-
memory/4776-132-0x0000000000F00000-0x0000000000F72000-memory.dmpFilesize
456KB
-
memory/4776-133-0x00000000058B0000-0x0000000005916000-memory.dmpFilesize
408KB