Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-11-2022 00:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    234KB

  • MD5

    3a7e04fb0a2ca2840f55e592ddd7c431

  • SHA1

    3b4bf9185d84d23ab7c2643656e25dd09f136ae3

  • SHA256

    e6d302a4849a5b211fb5351a4ed83bb2c337ad21bc78dbc7fe64482eea22edd6

  • SHA512

    c755067233429b4220bc232c07555133d997de6e0011912bf6abf5cef53ab17c6c68855970b08d14427c14b0302b6341399594d8043dd7f5c9cd9766ef8a8b5f

  • SSDEEP

    3072:ml/9OFy4kX4rRFyJdBA/V0BV8lUkOnFXpnahpDI6RFlScQqiBAXgV0Bx92eedDyc:mukXQ1gMqFl2cMlScQq192e+CfFxw

Score
10/10
redline711infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

711

C2

194.110.203.100:32796

Attributes
  • auth_value

    24e3340d853c89cad1e25194559ee778

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4296
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 304
      2⤵
      • Program crash
      PID:1292
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4828 -ip 4828
    1⤵
      PID:4184

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4296-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4296-133-0x0000000000380000-0x00000000003A8000-memory.dmp
      Filesize

      160KB

      Download
    • memory/4296-138-0x0000000005AE0000-0x00000000060F8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4296-139-0x0000000007470000-0x000000000757A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4296-140-0x0000000007360000-0x0000000007372000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4296-141-0x00000000073C0000-0x00000000073FC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4296-142-0x00000000084F0000-0x0000000008A94000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4296-143-0x0000000007FE0000-0x0000000008072000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4296-144-0x0000000008080000-0x00000000080E6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4296-145-0x00000000080F0000-0x0000000008166000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4296-146-0x0000000007F90000-0x0000000007FE0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4296-147-0x0000000008AA0000-0x0000000008C62000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4296-148-0x00000000091A0000-0x00000000096CC000-memory.dmp
      Filesize

      5.2MB

      Download