Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2022 06:52
Static task
static1
Behavioral task
behavioral1
Sample
18ec6f65d276ea2173b26e7ca013190e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
18ec6f65d276ea2173b26e7ca013190e.exe
Resource
win10v2004-20220901-en
General
-
Target
18ec6f65d276ea2173b26e7ca013190e.exe
-
Size
248KB
-
MD5
18ec6f65d276ea2173b26e7ca013190e
-
SHA1
f24d95a1069ccbde30ece236d72c7553689c890b
-
SHA256
5d5e9a03a29d4e638a175b889a5bb73fbcb0809ac83aa6966324fe86ac408d17
-
SHA512
33e2c237be627d032d9b1db91aa8446b06b9526f55dffc68c8eec55aedd6a747f2231dc1a4ab730590bb1a4407136b78ff6fa472643078b03dc665f781e31573
-
SSDEEP
3072:QScNYLAzJ+bENfhy6Fw+UVVgq/qipjvVBN1s1KeVyFCbC4KZxaJVYYPwiofG/7c:4/dgENPHip5BE1k6KZxowikG/7c
Malware Config
Extracted
redline
1
107.182.129.73:21733
-
auth_value
3a5bb0917495b4312d052a0b8977d2bb
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4500-133-0x00000000001D0000-0x00000000001F0000-memory.dmp family_redline behavioral2/memory/2804-138-0x0000000000B10000-0x0000000000B4E000-memory.dmp family_redline -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
18ec6f65d276ea2173b26e7ca013190e.exedescription pid process target process PID 2804 set thread context of 4500 2804 18ec6f65d276ea2173b26e7ca013190e.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 4500 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 4500 vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
18ec6f65d276ea2173b26e7ca013190e.exedescription pid process target process PID 2804 wrote to memory of 4500 2804 18ec6f65d276ea2173b26e7ca013190e.exe vbc.exe PID 2804 wrote to memory of 4500 2804 18ec6f65d276ea2173b26e7ca013190e.exe vbc.exe PID 2804 wrote to memory of 4500 2804 18ec6f65d276ea2173b26e7ca013190e.exe vbc.exe PID 2804 wrote to memory of 4500 2804 18ec6f65d276ea2173b26e7ca013190e.exe vbc.exe PID 2804 wrote to memory of 4500 2804 18ec6f65d276ea2173b26e7ca013190e.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18ec6f65d276ea2173b26e7ca013190e.exe"C:\Users\Admin\AppData\Local\Temp\18ec6f65d276ea2173b26e7ca013190e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2804-138-0x0000000000B10000-0x0000000000B4E000-memory.dmpFilesize
248KB
-
memory/4500-142-0x0000000004C90000-0x0000000004CCC000-memory.dmpFilesize
240KB
-
memory/4500-144-0x00000000050B0000-0x0000000005142000-memory.dmpFilesize
584KB
-
memory/4500-139-0x0000000005270000-0x0000000005888000-memory.dmpFilesize
6.1MB
-
memory/4500-140-0x00000000026B0000-0x00000000026C2000-memory.dmpFilesize
72KB
-
memory/4500-141-0x0000000004D60000-0x0000000004E6A000-memory.dmpFilesize
1.0MB
-
memory/4500-132-0x0000000000000000-mapping.dmp
-
memory/4500-143-0x0000000004F80000-0x0000000004FF6000-memory.dmpFilesize
472KB
-
memory/4500-133-0x00000000001D0000-0x00000000001F0000-memory.dmpFilesize
128KB
-
memory/4500-145-0x0000000005E40000-0x00000000063E4000-memory.dmpFilesize
5.6MB
-
memory/4500-146-0x0000000005170000-0x000000000518E000-memory.dmpFilesize
120KB
-
memory/4500-147-0x0000000005990000-0x00000000059F6000-memory.dmpFilesize
408KB
-
memory/4500-148-0x0000000005DE0000-0x0000000005E30000-memory.dmpFilesize
320KB
-
memory/4500-149-0x00000000067C0000-0x0000000006982000-memory.dmpFilesize
1.8MB
-
memory/4500-150-0x0000000006EC0000-0x00000000073EC000-memory.dmpFilesize
5.2MB