redline | e4565b29f687b5bce49974fec485c8e9cb9b308ccd9ffc3e1abb8d9c6355cf30

Analysis

max time kernel
52s
max time network
70s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
15-11-2022 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4565b29f687b5bce49974fec485c8e9cb9b308ccd9ffc3e1abb8d9c6355cf30.exe
Size

234KB
MD5

ebe1870be2fa78527fec23e2100a051e
SHA1

eb593043f75a28dbd01f2d9e1298479a7e0b178d
SHA256

e4565b29f687b5bce49974fec485c8e9cb9b308ccd9ffc3e1abb8d9c6355cf30
SHA512

4bca49294680089a42d92098846cb11e211805a6593e36bb3d106aa1d6b546cfaa7e60cdec6751d3ef7ae3b3673c5a7de63c5ec709980d2b2c69ab099e3289d6
SSDEEP

3072:TFf1Oly4I34rutyAA/V0BV8lUkOnFXpnahpDI6RFlScQqiBAXgV0Bx92eedDyYcQ:TiI3QBgMqFl2cMlScQq192e+CfFRw

Score

10^/10

redline 711 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

711

194.110.203.100:32796

Attributes

auth_value
24e3340d853c89cad1e25194559ee778

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2104-138-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/2104-143-0x00000000004221D2-mapping.dmp	family_redline

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

e4565b29f687b5bce49974fec485c8e9cb9b308ccd9ffc3e1abb8d9c6355cf30.exe

description	pid	process	target process
PID 3824 set thread context of 2104	3824	e4565b29f687b5bce49974fec485c8e9cb9b308ccd9ffc3e1abb8d9c6355cf30.exe	vbc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4556 3824 WerFault.exe e4565b29f687b5bce49974fec485c8e9cb9b308ccd9ffc3e1abb8d9c6355cf30.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

2104 vbc.exe
2104 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 2104 vbc.exe

pid	pid_target	process	target process
4556	3824	WerFault.exe	e4565b29f687b5bce49974fec485c8e9cb9b308ccd9ffc3e1abb8d9c6355cf30.exe

pid	process
2104	vbc.exe
2104	vbc.exe

description	pid	process
Token: SeDebugPrivilege	2104	vbc.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

e4565b29f687b5bce49974fec485c8e9cb9b308ccd9ffc3e1abb8d9c6355cf30.exe

description	pid	process	target process
PID 3824 wrote to memory of 2104	3824	e4565b29f687b5bce49974fec485c8e9cb9b308ccd9ffc3e1abb8d9c6355cf30.exe	vbc.exe
PID 3824 wrote to memory of 2104	3824	e4565b29f687b5bce49974fec485c8e9cb9b308ccd9ffc3e1abb8d9c6355cf30.exe	vbc.exe
PID 3824 wrote to memory of 2104	3824	e4565b29f687b5bce49974fec485c8e9cb9b308ccd9ffc3e1abb8d9c6355cf30.exe	vbc.exe
PID 3824 wrote to memory of 2104	3824	e4565b29f687b5bce49974fec485c8e9cb9b308ccd9ffc3e1abb8d9c6355cf30.exe	vbc.exe
PID 3824 wrote to memory of 2104	3824	e4565b29f687b5bce49974fec485c8e9cb9b308ccd9ffc3e1abb8d9c6355cf30.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\e4565b29f687b5bce49974fec485c8e9cb9b308ccd9ffc3e1abb8d9c6355cf30.exe
"C:\Users\Admin\AppData\Local\Temp\e4565b29f687b5bce49974fec485c8e9cb9b308ccd9ffc3e1abb8d9c6355cf30.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 132
2⤵
- Program crash
PID:4556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2104-177-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-179-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-489-0x000000000DAA0000-0x000000000DFCC000-memory.dmp

Filesize
5.2MB

Download
memory/2104-488-0x000000000D3A0000-0x000000000D562000-memory.dmp

Filesize
1.8MB

Download
memory/2104-479-0x000000000CAC0000-0x000000000CB10000-memory.dmp

Filesize
320KB

Download
memory/2104-158-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-159-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-235-0x000000000CB60000-0x000000000CBF2000-memory.dmp

Filesize
584KB

Download
memory/2104-228-0x000000000CA50000-0x000000000CAB6000-memory.dmp

Filesize
408KB

Download
memory/2104-224-0x000000000CEA0000-0x000000000D39E000-memory.dmp

Filesize
5.0MB

Download
memory/2104-216-0x000000000BF10000-0x000000000BF5B000-memory.dmp

Filesize
300KB

Download
memory/2104-214-0x000000000BD90000-0x000000000BDCE000-memory.dmp

Filesize
248KB

Download
memory/2104-212-0x000000000BD30000-0x000000000BD42000-memory.dmp

Filesize
72KB

Download
memory/2104-210-0x000000000BE00000-0x000000000BF0A000-memory.dmp

Filesize
1.0MB

Download
memory/2104-203-0x000000000A490000-0x000000000AA96000-memory.dmp

Filesize
6.0MB

Download
memory/2104-183-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-182-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-181-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-180-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-178-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-175-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-174-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-138-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2104-143-0x00000000004221D2-mapping.dmp

Download
memory/2104-144-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-145-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-146-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-147-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-148-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-150-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-151-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-153-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-154-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-155-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-156-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-157-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-173-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-478-0x000000000CC00000-0x000000000CC76000-memory.dmp

Filesize
472KB

Download
memory/2104-163-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-161-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-162-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-160-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-164-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-165-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-166-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-167-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-168-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-169-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-170-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-171-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2104-172-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-118-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-136-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-133-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-116-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-135-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-117-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-134-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-132-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-128-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-137-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-130-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-131-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-129-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-127-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-126-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-125-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-124-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-123-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-122-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-120-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-119-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-121-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download