Analysis
-
max time kernel
56s -
max time network
59s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 13:18
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
929KB
-
MD5
ba95d1eb4a2e75a13058cf64aaaf747f
-
SHA1
1d1890cfb6f45b4d1a690674a28e19446c5c33a9
-
SHA256
a964be69ae3a3b5aa6b824909ea7d3a65e3b6230aba8d5199dfca82284029b72
-
SHA512
a1855402c51ced0d752643640e654c37c3c52a69b81ebd9b1632d598a291ef2dbe410263787bf6a75569ab76bf8014b6a6c14f285df7df3e99bb969d09829e10
-
SSDEEP
12288:9BA+gaChl8BfvNqMNRKmQewnhAeCWRnL/TbNS1nDwpOFLuSOE3lKFAvQlOTPp5kr:9LgBhmBfvNq1dnL/nA1UpOFuFAvHH
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
213.32.44.120:6254
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1172-56-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1172-61-0x00000000004221EE-mapping.dmp family_redline behavioral1/memory/1172-62-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1172-63-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 740 set thread context of 1172 740 file.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2036 740 WerFault.exe file.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 1172 vbc.exe 1172 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1172 vbc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
file.exedescription pid process target process PID 740 wrote to memory of 1172 740 file.exe vbc.exe PID 740 wrote to memory of 1172 740 file.exe vbc.exe PID 740 wrote to memory of 1172 740 file.exe vbc.exe PID 740 wrote to memory of 1172 740 file.exe vbc.exe PID 740 wrote to memory of 1172 740 file.exe vbc.exe PID 740 wrote to memory of 1172 740 file.exe vbc.exe PID 740 wrote to memory of 2036 740 file.exe WerFault.exe PID 740 wrote to memory of 2036 740 file.exe WerFault.exe PID 740 wrote to memory of 2036 740 file.exe WerFault.exe PID 740 wrote to memory of 2036 740 file.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 362⤵
- Program crash
PID:2036
-