Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-10-2022 15:43
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
450KB
-
MD5
47d4b2fd7654ad71026eb66dd2aa5d97
-
SHA1
dabbda8e945fadee09c5bbee1b0ed9a4036038f5
-
SHA256
5292b8004f9078cfddbb45f7a0a1d0e6c84a958e43e602f43f8af4161983b6ce
-
SHA512
3412e220dfcfa4401b03e0ca36c55c03f65bc92016a5a52db625a16c4e1171b1305477e9b461f3aaffeafcae99ccfdf1c9e4729695007718469bda1d753f28f1
-
SSDEEP
6144:Z8fFQo+7Q0H3y+nvEGiBpYbgBUR4JttcBDlxdwpfxfBThM9eo1I7u0Kry2wej99u:ZYFiISM5jY9IfBTy9eo1dC
Malware Config
Extracted
redline
nam6.1
103.89.90.61:34589
-
auth_value
5a3c8b8880f6d03e2acaaa0ba12776e3
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1932-59-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1932-60-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1932-61-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1932-62-0x000000000042211E-mapping.dmp family_redline behavioral1/memory/1932-64-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1932-66-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 1504 set thread context of 1932 1504 file.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 1932 vbc.exe 1932 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1932 vbc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exedescription pid process target process PID 1504 wrote to memory of 1932 1504 file.exe vbc.exe PID 1504 wrote to memory of 1932 1504 file.exe vbc.exe PID 1504 wrote to memory of 1932 1504 file.exe vbc.exe PID 1504 wrote to memory of 1932 1504 file.exe vbc.exe PID 1504 wrote to memory of 1932 1504 file.exe vbc.exe PID 1504 wrote to memory of 1932 1504 file.exe vbc.exe PID 1504 wrote to memory of 1932 1504 file.exe vbc.exe PID 1504 wrote to memory of 1932 1504 file.exe vbc.exe PID 1504 wrote to memory of 1932 1504 file.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1504-54-0x0000000001310000-0x0000000001386000-memory.dmpFilesize
472KB
-
memory/1504-55-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/1932-56-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1932-57-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1932-59-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1932-60-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1932-61-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1932-62-0x000000000042211E-mapping.dmp
-
memory/1932-64-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1932-66-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB