Analysis
-
max time kernel
91s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2022 00:42
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
234KB
-
MD5
3a7e04fb0a2ca2840f55e592ddd7c431
-
SHA1
3b4bf9185d84d23ab7c2643656e25dd09f136ae3
-
SHA256
e6d302a4849a5b211fb5351a4ed83bb2c337ad21bc78dbc7fe64482eea22edd6
-
SHA512
c755067233429b4220bc232c07555133d997de6e0011912bf6abf5cef53ab17c6c68855970b08d14427c14b0302b6341399594d8043dd7f5c9cd9766ef8a8b5f
-
SSDEEP
3072:ml/9OFy4kX4rRFyJdBA/V0BV8lUkOnFXpnahpDI6RFlScQqiBAXgV0Bx92eedDyc:mukXQ1gMqFl2cMlScQq192e+CfFxw
Malware Config
Extracted
redline
711
194.110.203.100:32796
-
auth_value
24e3340d853c89cad1e25194559ee778
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4296-133-0x0000000000380000-0x00000000003A8000-memory.dmp family_redline -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 4828 set thread context of 4296 4828 file.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1292 4828 WerFault.exe file.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 4296 vbc.exe 4296 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 4296 vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
file.exedescription pid process target process PID 4828 wrote to memory of 4296 4828 file.exe vbc.exe PID 4828 wrote to memory of 4296 4828 file.exe vbc.exe PID 4828 wrote to memory of 4296 4828 file.exe vbc.exe PID 4828 wrote to memory of 4296 4828 file.exe vbc.exe PID 4828 wrote to memory of 4296 4828 file.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 3042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4828 -ip 48281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4296-132-0x0000000000000000-mapping.dmp
-
memory/4296-133-0x0000000000380000-0x00000000003A8000-memory.dmpFilesize
160KB
-
memory/4296-138-0x0000000005AE0000-0x00000000060F8000-memory.dmpFilesize
6.1MB
-
memory/4296-139-0x0000000007470000-0x000000000757A000-memory.dmpFilesize
1.0MB
-
memory/4296-140-0x0000000007360000-0x0000000007372000-memory.dmpFilesize
72KB
-
memory/4296-141-0x00000000073C0000-0x00000000073FC000-memory.dmpFilesize
240KB
-
memory/4296-142-0x00000000084F0000-0x0000000008A94000-memory.dmpFilesize
5.6MB
-
memory/4296-143-0x0000000007FE0000-0x0000000008072000-memory.dmpFilesize
584KB
-
memory/4296-144-0x0000000008080000-0x00000000080E6000-memory.dmpFilesize
408KB
-
memory/4296-145-0x00000000080F0000-0x0000000008166000-memory.dmpFilesize
472KB
-
memory/4296-146-0x0000000007F90000-0x0000000007FE0000-memory.dmpFilesize
320KB
-
memory/4296-147-0x0000000008AA0000-0x0000000008C62000-memory.dmpFilesize
1.8MB
-
memory/4296-148-0x00000000091A0000-0x00000000096CC000-memory.dmpFilesize
5.2MB