redline | a964be69ae3a3b5aa6b824909ea7d3a65e3b6230aba8d5199dfca82284029b72

Analysis

max time kernel
90s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

929KB
MD5

ba95d1eb4a2e75a13058cf64aaaf747f
SHA1

1d1890cfb6f45b4d1a690674a28e19446c5c33a9
SHA256

a964be69ae3a3b5aa6b824909ea7d3a65e3b6230aba8d5199dfca82284029b72
SHA512

a1855402c51ced0d752643640e654c37c3c52a69b81ebd9b1632d598a291ef2dbe410263787bf6a75569ab76bf8014b6a6c14f285df7df3e99bb969d09829e10
SSDEEP

12288:9BA+gaChl8BfvNqMNRKmQewnhAeCWRnL/TbNS1nDwpOFLuSOE3lKFAvQlOTPp5kr:9LgBhmBfvNq1dnL/nA1UpOFuFAvHH

Score

10^/10

redline logsdiller cloud (tg: @logsdillabot)infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

213.32.44.120:6254

Attributes

auth_value
3a050df92d0cf082b2cdaf87863616be

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1164-136-0x0000000000720000-0x0000000000748000-memory.dmp	family_redline

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 4964 set thread context of 1164 4964 file.exe vbc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5036 4964 WerFault.exe file.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

1164 vbc.exe
1164 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 1164 vbc.exe

description	pid	process	target process
PID 4964 set thread context of 1164	4964	file.exe	vbc.exe

pid	pid_target	process	target process
5036	4964	WerFault.exe	file.exe

pid	process
1164	vbc.exe
1164	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1164	vbc.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

file.exe

description	pid	process	target process
PID 4964 wrote to memory of 1164	4964	file.exe	vbc.exe
PID 4964 wrote to memory of 1164	4964	file.exe	vbc.exe
PID 4964 wrote to memory of 1164	4964	file.exe	vbc.exe
PID 4964 wrote to memory of 1164	4964	file.exe	vbc.exe
PID 4964 wrote to memory of 1164	4964	file.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 240
  2⤵
  - Program crash
  PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4964 -ip 4964
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1164-135-0x0000000000000000-mapping.dmp

Download
memory/1164-136-0x0000000000720000-0x0000000000748000-memory.dmp

Filesize
160KB

Download
memory/1164-141-0x00000000053F0000-0x0000000005A08000-memory.dmp

Filesize
6.1MB

Download
memory/1164-142-0x0000000004F30000-0x000000000503A000-memory.dmp

Filesize
1.0MB

Download
memory/1164-143-0x0000000004E60000-0x0000000004E72000-memory.dmp

Filesize
72KB

Download
memory/1164-144-0x0000000004ED0000-0x0000000004F0C000-memory.dmp

Filesize
240KB

Download
memory/1164-145-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/1164-146-0x0000000005FC0000-0x0000000006564000-memory.dmp

Filesize
5.6MB

Download
memory/1164-147-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/1164-148-0x0000000005EB0000-0x0000000005F26000-memory.dmp

Filesize
472KB

Download
memory/1164-149-0x0000000005F30000-0x0000000005F80000-memory.dmp

Filesize
320KB

Download
memory/1164-150-0x0000000006BB0000-0x0000000006D72000-memory.dmp

Filesize
1.8MB

Download
memory/1164-151-0x0000000008920000-0x0000000008E4C000-memory.dmp

Filesize
5.2MB

Download