redline | 1c07ebd7879852ae7d29e3327feda21fb884b3d797c94183465d332c0c0ab6f1

Analysis

max time kernel
80s
max time network
86s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 14:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.6MB
MD5

65dbc00037c4bcf505a84846e9bb93f8
SHA1

3dcd17569ada7ed8c6eabee2fae6d31d818f6e6c
SHA256

1c07ebd7879852ae7d29e3327feda21fb884b3d797c94183465d332c0c0ab6f1
SHA512

73afb00543e918dc32a1a9afd52f54a690eb51f9be476bff3d5b39b6cd5a5c2259b30ef91d7fe5b81c629f641b2ca290ef2e0c87593576847bb45604b695e847
SSDEEP

24576:bqYcRhuHU/8+2YuY7MOPb/M+SkswdNlWmi/wxPAGLY/r6TH0MTTLYWLgfLml3RuK:mYcHJ/8WZxPqrAUMTTLYWsql39

Score

10^/10

redline 1310 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

1310

79.137.192.57:48771

Attributes

auth_value
feb5f5c29913f32658637e553762a40e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/98376-56-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/98376-61-0x000000000042216E-mapping.dmp	family_redline
behavioral1/memory/98376-63-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/98376-62-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1264 set thread context of 98376	1264	file.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
98376	vbc.exe
98376	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	98376	vbc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 98376	1264	file.exe	28
PID 1264 wrote to memory of 98376	1264	file.exe	28
PID 1264 wrote to memory of 98376	1264	file.exe	28
PID 1264 wrote to memory of 98376	1264	file.exe	28
PID 1264 wrote to memory of 98376	1264	file.exe	28
PID 1264 wrote to memory of 98376	1264	file.exe	28

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:98376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/98376-54-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/98376-56-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/98376-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/98376-62-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/98376-64-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download