redline | 592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b

Analysis

max time kernel
153s
max time network
173s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b.exe
Size

2.6MB
MD5

fdc08cd73067053b5ffe1fa6ff89db69
SHA1

6ee158437513a43ef4a7c0cc885ea1fbdce8519e
SHA256

592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b
SHA512

0abac010f2a3efe0715002a46b9e7163a9537204f64369fbaddfeb2a13ff25956eecf77bf46afe76c1b04dd206d0d4e83cac4f86b7be22a0ec48ff3450f004d9
SSDEEP

24576:5uZGB2rgxdDlnFmNXIhp4cFYuYrAEfbKM2rHyx+doKH6ZG3DPAGLY/r6TiugoePY:5mo8gTJp46d3DPqrAeoisze+3Rl3/

Score

10^/10

redline 1310 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

1310

79.137.192.57:48771

Attributes

auth_value
feb5f5c29913f32658637e553762a40e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/96236-58-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/96236-63-0x000000000042216E-mapping.dmp	family_redline
behavioral1/memory/96236-64-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/96236-65-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 96236	1672	592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
96236	vbc.exe
96236	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	96236	vbc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 96236	1672	592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b.exe	28
PID 1672 wrote to memory of 96236	1672	592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b.exe	28
PID 1672 wrote to memory of 96236	1672	592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b.exe	28
PID 1672 wrote to memory of 96236	1672	592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b.exe	28
PID 1672 wrote to memory of 96236	1672	592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b.exe	28
PID 1672 wrote to memory of 96236	1672	592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b.exe	28

C:\Users\Admin\AppData\Local\Temp\592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b.exe
"C:\Users\Admin\AppData\Local\Temp\592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:96236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/96236-56-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/96236-58-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/96236-64-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/96236-65-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/96236-66-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download