Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 11:41
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
217KB
-
MD5
994582a9698bff38051a6ecb1522c30b
-
SHA1
79bdca7a44e56665a11c71c34b334321a39e16cd
-
SHA256
22932ac12c61f7ade37d16a82ad02d08259263020f4a465d15f2830fa03df12b
-
SHA512
290c4046453cb242ca57c24e739557f3d683511bcb1aa59398b04d1372e85f402bc2527542665355459692bc78664441d4f0a3d816cc349dfad9f427e765e4a3
-
SSDEEP
3072:LT4vq60E/oW+24ETyre2xRc0jqr76OlnA9DMpYU4KZe8JbJ3Yl6PR+cpY8jwGS:LMvr0E/oywe2xrjq6O4MJ4bM5Y4+cE
Malware Config
Extracted
redline
@madboyza
193.106.191.138:32796
-
auth_value
9bfce7bfb110f8f53d96c7a32c655358
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5040-133-0x00000000004A0000-0x00000000004C8000-memory.dmp family_redline -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 2372 set thread context of 5040 2372 file.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3392 2372 WerFault.exe file.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
file.exedescription pid process target process PID 2372 wrote to memory of 5040 2372 file.exe vbc.exe PID 2372 wrote to memory of 5040 2372 file.exe vbc.exe PID 2372 wrote to memory of 5040 2372 file.exe vbc.exe PID 2372 wrote to memory of 5040 2372 file.exe vbc.exe PID 2372 wrote to memory of 5040 2372 file.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:5040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1402⤵
- Program crash
PID:3392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2372 -ip 23721⤵PID:2156