redline | 7ee8f22c98aa12fd857957b213a700b35b3b57522e17d0b584455d08d7cdca4c

Analysis

max time kernel
187s
max time network
350s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-09-2022 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lumion 12 Pro/Setup.exe
Size

750.1MB
MD5

7956afc5b7cdcc25f3afefbe6f60c0ac
SHA1

448f5f12570139a810392009b71b710e5bbf1c64
SHA256

13d88be69d884c2dc3dad8dacb3ca661ff019edd5cd930494531ada0350ff903
SHA512

f334aa41556dc9369c4f8978d410ca2b710e38470b173fe175ce586fa8c9953fbb9e009f98bcf2c5fda988bc4edc2cda1e6686dd1d611d4d504decdec2c1374d
SSDEEP

3072:xekJWGLunDanEw56QyYoIxIDbdRoi4D82r:xRIDanBuPIKDbdRFc8+

Score

10^/10

redline @chaoiiing 17/08/22 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

@chaoiiing 17/08/22

92.38.241.94:22922

Attributes

auth_value
72cce26a18d3046167e14710509d2d24

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 936 set thread context of 964	936	Setup.exe	26

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
964	vbc.exe
964	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	964	vbc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 964	936	Setup.exe	26
PID 936 wrote to memory of 964	936	Setup.exe	26
PID 936 wrote to memory of 964	936	Setup.exe	26
PID 936 wrote to memory of 964	936	Setup.exe	26
PID 936 wrote to memory of 964	936	Setup.exe	26
PID 936 wrote to memory of 964	936	Setup.exe	26
PID 936 wrote to memory of 964	936	Setup.exe	26
PID 936 wrote to memory of 964	936	Setup.exe	26
PID 936 wrote to memory of 964	936	Setup.exe	26

C:\Users\Admin\AppData\Local\Temp\Lumion 12 Pro\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Lumion 12 Pro\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/936-54-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/936-55-0x00000000009E0000-0x0000000000A00000-memory.dmp

Filesize
128KB

Download
memory/964-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/964-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/964-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/964-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/964-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/964-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/964-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download