Analysis
-
max time kernel
48s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11-11-2022 01:58
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
271KB
-
MD5
36c51c0d146dbe9024e34b251421a72e
-
SHA1
54e5325e012106703cd432d7568f974bd115a337
-
SHA256
0ce402cf92619e1d76d785c01928ec54abcb73933bde93ef33bec31c6ec825f8
-
SHA512
1d0d9f18510d32367dbb929ab2d8db74bd50fe0a07c19b3d860475f1e83ed8d3e2c0d3f925044243271f7b01b0fc1dcd2a49865ce6786ff8127df3c67b0c1687
-
SSDEEP
3072:A5m+sPa0rSqvWxPtdlROun6IQiWxh4WZ9bOTTmofHsEUv/f:+sPa0rLw7Wu6ItWxhl9w6YU/f
Malware Config
Extracted
redline
PerseCloud Logs
151.80.89.227:45878
-
auth_value
f35e78a6b4be27a5c8621510cdcfa361
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1188-58-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1188-59-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1188-60-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1188-61-0x00000000004221AE-mapping.dmp family_redline behavioral1/memory/1188-63-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1188-65-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 1268 set thread context of 1188 1268 file.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 1188 vbc.exe 1188 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1188 vbc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exedescription pid process target process PID 1268 wrote to memory of 1188 1268 file.exe vbc.exe PID 1268 wrote to memory of 1188 1268 file.exe vbc.exe PID 1268 wrote to memory of 1188 1268 file.exe vbc.exe PID 1268 wrote to memory of 1188 1268 file.exe vbc.exe PID 1268 wrote to memory of 1188 1268 file.exe vbc.exe PID 1268 wrote to memory of 1188 1268 file.exe vbc.exe PID 1268 wrote to memory of 1188 1268 file.exe vbc.exe PID 1268 wrote to memory of 1188 1268 file.exe vbc.exe PID 1268 wrote to memory of 1188 1268 file.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1188-55-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1188-56-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1188-58-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1188-59-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1188-60-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1188-61-0x00000000004221AE-mapping.dmp
-
memory/1188-63-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1188-65-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1188-66-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/1268-54-0x0000000000920000-0x000000000096A000-memory.dmpFilesize
296KB