redline | 9c2cd3054daa423bf29f6af6dc35b986df456c6356849fe2b75b2fb9cdfef953

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 12:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

228KB
MD5

049266c4d9f54e08aa341e48fec74ee2
SHA1

70311d30ab733549e28cbfa3e269b49fca531733
SHA256

9c2cd3054daa423bf29f6af6dc35b986df456c6356849fe2b75b2fb9cdfef953
SHA512

387948aea8c86baca67b6076c7c69323d4bbf6f4773c19ed6829af0457db9352ac67ac37d6d1d1b00f1793bb9cc7d82795dfc0e2e6e7c605a676aa5f3ddd22a4
SSDEEP

6144:QolJaSz9IC7MaaaaaLgi6a7OnqJ9RfoL6kuw19:QolJVz9IoMaaaaaLD7Oq3Rf85uw19

Score

10^/10

redline premiumcloud#41 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

PremiumCloud#41

151.80.89.227:45878

Attributes

auth_value
6011f107082889840844bd9a1730558b

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

resource	yara_rule
behavioral1/memory/1204-59-0x00000000001C0000-0x00000000001E8000-memory.dmp	family_redline
behavioral1/memory/1204-60-0x00000000001C0000-0x00000000001E8000-memory.dmp	family_redline
behavioral1/memory/1204-62-0x000000000042214E-mapping.dmp	family_redline
behavioral1/memory/1204-63-0x00000000001C0000-0x00000000001E8000-memory.dmp	family_redline
behavioral1/memory/1204-64-0x00000000001C0000-0x00000000001E8000-memory.dmp	family_redline
behavioral1/memory/1204-68-0x00000000001C0000-0x00000000001E8000-memory.dmp	family_redline
behavioral1/memory/1204-71-0x00000000001C0000-0x00000000001E8000-memory.dmp	family_redline

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 852 set thread context of 1204	852	file.exe	27

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1204	vbc.exe
1204	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1204	vbc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1204	852	file.exe	27
PID 852 wrote to memory of 1204	852	file.exe	27
PID 852 wrote to memory of 1204	852	file.exe	27
PID 852 wrote to memory of 1204	852	file.exe	27
PID 852 wrote to memory of 1204	852	file.exe	27
PID 852 wrote to memory of 1204	852	file.exe	27
PID 852 wrote to memory of 1204	852	file.exe	27
PID 852 wrote to memory of 1204	852	file.exe	27
PID 852 wrote to memory of 1204	852	file.exe	27

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/852-54-0x0000000000990000-0x00000000009CE000-memory.dmp

Filesize
248KB

Download
memory/852-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1204-56-0x00000000001C0000-0x00000000001E8000-memory.dmp

Filesize
160KB

Download
memory/1204-57-0x00000000001C0000-0x00000000001E8000-memory.dmp

Filesize
160KB

Download
memory/1204-59-0x00000000001C0000-0x00000000001E8000-memory.dmp

Filesize
160KB

Download
memory/1204-60-0x00000000001C0000-0x00000000001E8000-memory.dmp

Filesize
160KB

Download
memory/1204-61-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1204-63-0x00000000001C0000-0x00000000001E8000-memory.dmp

Filesize
160KB

Download
memory/1204-64-0x00000000001C0000-0x00000000001E8000-memory.dmp

Filesize
160KB

Download
memory/1204-68-0x00000000001C0000-0x00000000001E8000-memory.dmp

Filesize
160KB

Download
memory/1204-71-0x00000000001C0000-0x00000000001E8000-memory.dmp

Filesize
160KB

Download