Analysis
-
max time kernel
60s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2022 16:07
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
234KB
-
MD5
f792926a77fc9ecd2a4e5af7ab3cf4bc
-
SHA1
46867e74a6e47db0129b22aaf2ef58725da3c03d
-
SHA256
a4f1cc0fc562132d002fb992a4552dee7e75c26343be8611c9f9bc6b2d68eec6
-
SHA512
5344ffd1557d163f4c7c04951fec5f50091b28273960cfe8eb583052a1cb79c4c26ac0baed658f19665f63b6aa0827ef19ac5b13c0cb633a2bba9d1a1deb0fe6
-
SSDEEP
3072:w+OIOpy4TM4rFdMyJdBA/V0BV8lUkOnFXpnahpDI6RFlScQqiBAXgV0Bx92eedD1:whTMQUgMqFl2cMlScQq192e+CfF1w
Malware Config
Extracted
redline
711
194.110.203.100:32796
-
auth_value
24e3340d853c89cad1e25194559ee778
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2056-133-0x0000000000780000-0x00000000007A8000-memory.dmp family_redline -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 2960 set thread context of 2056 2960 file.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5056 2960 WerFault.exe file.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 2056 vbc.exe 2056 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 2056 vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
file.exedescription pid process target process PID 2960 wrote to memory of 2056 2960 file.exe vbc.exe PID 2960 wrote to memory of 2056 2960 file.exe vbc.exe PID 2960 wrote to memory of 2056 2960 file.exe vbc.exe PID 2960 wrote to memory of 2056 2960 file.exe vbc.exe PID 2960 wrote to memory of 2056 2960 file.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 3122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2960 -ip 29601⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2056-132-0x0000000000000000-mapping.dmp
-
memory/2056-133-0x0000000000780000-0x00000000007A8000-memory.dmpFilesize
160KB
-
memory/2056-138-0x0000000005BD0000-0x00000000061E8000-memory.dmpFilesize
6.1MB
-
memory/2056-139-0x0000000007560000-0x000000000766A000-memory.dmpFilesize
1.0MB
-
memory/2056-140-0x0000000007480000-0x0000000007492000-memory.dmpFilesize
72KB
-
memory/2056-141-0x00000000074E0000-0x000000000751C000-memory.dmpFilesize
240KB
-
memory/2056-142-0x0000000008620000-0x0000000008BC4000-memory.dmpFilesize
5.6MB
-
memory/2056-143-0x0000000008110000-0x00000000081A2000-memory.dmpFilesize
584KB
-
memory/2056-144-0x00000000081B0000-0x0000000008216000-memory.dmpFilesize
408KB
-
memory/2056-145-0x0000000008220000-0x0000000008296000-memory.dmpFilesize
472KB
-
memory/2056-146-0x00000000080C0000-0x0000000008110000-memory.dmpFilesize
320KB
-
memory/2056-147-0x0000000008BD0000-0x0000000008D92000-memory.dmpFilesize
1.8MB
-
memory/2056-148-0x00000000092D0000-0x00000000097FC000-memory.dmpFilesize
5.2MB