redline | bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0

Analysis

max time kernel
52s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
14-09-2022 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe
Size

217KB
MD5

a078e93cc24db2b52b41dde722aaa333
SHA1

8bc2f863ebdc8334b8cf240fd21a254c754498b6
SHA256

bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0
SHA512

3156512dfe0316d251b19e0d9c643c8377f5ed2c1397ce202665c70e5875b400a2952623d7af0fbda5c4e0de0f9ff9e4a1c9f27f63e5e8524fe45a7bce19c97c
SSDEEP

3072:F9Pz9yUZZ91RI9zIpA4sSBmxShqyXAI5BjzQS8iqI6FFLpRntY8Q233inOHc/i:F9z4w3RIpYxjMP2BjzQS8ij6FjRy8Qp

Score

10^/10

redline lyla.11.09 infostealer

Malware Config

Extracted

Family

redline

Botnet

Lyla.11.09

185.215.113.216:21921

Attributes

auth_value
a1e5192e588aa983d678ceb4d6e0d8b5

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe

description	pid	process	target process
PID 2648 set thread context of 5008	2648	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4516 5008 WerFault.exe bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe

pid	pid_target	process	target process
4516	5008	WerFault.exe	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe

description	pid	process	target process
PID 2648 wrote to memory of 5008	2648	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe
PID 2648 wrote to memory of 5008	2648	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe
PID 2648 wrote to memory of 5008	2648	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe
PID 2648 wrote to memory of 5008	2648	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe
PID 2648 wrote to memory of 5008	2648	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe
PID 2648 wrote to memory of 5008	2648	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe
PID 2648 wrote to memory of 5008	2648	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe
PID 2648 wrote to memory of 5008	2648	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe	bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe

C:\Users\Admin\AppData\Local\Temp\bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe
"C:\Users\Admin\AppData\Local\Temp\bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\AppData\Local\Temp\bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe
"C:\Users\Admin\AppData\Local\Temp\bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe"
2⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 712
3⤵
- Program crash
PID:4516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bc7da2ff8fd88b93c62d6318a26c17a9bbc14ee658d2064140f4ccdc869764f0.exe.log
Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
memory/2648-115-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-116-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-117-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-118-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-119-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-120-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-121-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-123-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-122-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-124-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-126-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-127-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-128-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-129-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-130-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-125-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-131-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-133-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-132-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-134-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-135-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-136-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-138-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-137-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-139-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-140-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-142-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-141-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-143-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-144-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-145-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-146-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-147-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-148-0x00000000002A0000-0x00000000002D9000-memory.dmp

Filesize
228KB

Download
memory/2648-149-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-150-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2648-154-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-151-0x0000000000F10000-0x0000000000F2C000-memory.dmp

Filesize
112KB

Download
memory/5008-152-0x0000000000F26ABA-mapping.dmp

Download
memory/5008-156-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-155-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-157-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-158-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-153-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-159-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-160-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-161-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-163-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-162-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-164-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-165-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-166-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-167-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-168-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-169-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-170-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-171-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-172-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-173-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-174-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-175-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-176-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-177-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-178-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-179-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-180-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download