Analysis
-
max time kernel
134s -
max time network
181s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
07/11/2022, 16:30
Static task
static1
Behavioral task
behavioral1
Sample
74ae0102c4050421d0c81c0e96627b39f2004e2456845a43cdf6280c06f4ee64.exe
Resource
win10-20220812-en
General
-
Target
74ae0102c4050421d0c81c0e96627b39f2004e2456845a43cdf6280c06f4ee64.exe
-
Size
472KB
-
MD5
4f784fd650c865f8363b7f314c20f4be
-
SHA1
b1f016318068a4c59960254ca7560cfba550cd5c
-
SHA256
74ae0102c4050421d0c81c0e96627b39f2004e2456845a43cdf6280c06f4ee64
-
SHA512
c5abcd28932273def39c57210ef266b7a83898d9c02e3597c9d5a62e193acdafd0efce983c8ace838982110451276c63a3267d9569e08f6855da3d75b2acaec0
-
SSDEEP
12288:S9s1Nb4P/ngZepriWeB7Ix0nV654ve3ySYX0vO+5N42FeVxCNm1arFSB+:BLsP/nuoaICV654ve3ySYX0vO+5N42FF
Malware Config
Extracted
redline
157.90.145.151:14075
-
auth_value
197a8d2e248bee4495c3db7cbfdf6d3d
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/4420-121-0x0000000000400000-0x0000000000460000-memory.dmp family_redline behavioral1/memory/4420-126-0x000000000045BDBE-mapping.dmp family_redline -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 432 set thread context of 4420 432 74ae0102c4050421d0c81c0e96627b39f2004e2456845a43cdf6280c06f4ee64.exe 66 -
Program crash 1 IoCs
pid pid_target Process procid_target 2164 432 WerFault.exe 65 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4420 vbc.exe 4420 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4420 vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 432 wrote to memory of 4420 432 74ae0102c4050421d0c81c0e96627b39f2004e2456845a43cdf6280c06f4ee64.exe 66 PID 432 wrote to memory of 4420 432 74ae0102c4050421d0c81c0e96627b39f2004e2456845a43cdf6280c06f4ee64.exe 66 PID 432 wrote to memory of 4420 432 74ae0102c4050421d0c81c0e96627b39f2004e2456845a43cdf6280c06f4ee64.exe 66 PID 432 wrote to memory of 4420 432 74ae0102c4050421d0c81c0e96627b39f2004e2456845a43cdf6280c06f4ee64.exe 66 PID 432 wrote to memory of 4420 432 74ae0102c4050421d0c81c0e96627b39f2004e2456845a43cdf6280c06f4ee64.exe 66
Processes
-
C:\Users\Admin\AppData\Local\Temp\74ae0102c4050421d0c81c0e96627b39f2004e2456845a43cdf6280c06f4ee64.exe"C:\Users\Admin\AppData\Local\Temp\74ae0102c4050421d0c81c0e96627b39f2004e2456845a43cdf6280c06f4ee64.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 2362⤵
- Program crash
PID:2164
-