Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    48s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2022 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    271KB

  • MD5

    36c51c0d146dbe9024e34b251421a72e

  • SHA1

    54e5325e012106703cd432d7568f974bd115a337

  • SHA256

    0ce402cf92619e1d76d785c01928ec54abcb73933bde93ef33bec31c6ec825f8

  • SHA512

    1d0d9f18510d32367dbb929ab2d8db74bd50fe0a07c19b3d860475f1e83ed8d3e2c0d3f925044243271f7b01b0fc1dcd2a49865ce6786ff8127df3c67b0c1687

  • SSDEEP

    3072:A5m+sPa0rSqvWxPtdlROun6IQiWxh4WZ9bOTTmofHsEUv/f:+sPa0rLw7Wu6ItWxhl9w6YU/f

Score
10/10
redlinepersecloud logsinfostealerspyware

Malware Config

Extracted

Family

redline

Botnet

PerseCloud Logs

C2

151.80.89.227:45878

Attributes
  • auth_value

    f35e78a6b4be27a5c8621510cdcfa361

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1188-55-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1188-56-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1188-58-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1188-59-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1188-60-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1188-61-0x00000000004221AE-mapping.dmp
    Download
  • memory/1188-63-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1188-65-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1188-66-0x00000000757A1000-0x00000000757A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1268-54-0x0000000000920000-0x000000000096A000-memory.dmp
    Filesize

    296KB

    Download