redline | 5af62720d9119f381d88dc30ef6e7a71aca7428f4ad54721f1ffa253a1231546

Analysis

max time kernel
201s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2eb435e7827a8260b08a29a03e4652b6.exe
Size

173KB
MD5

2eb435e7827a8260b08a29a03e4652b6
SHA1

218f5646d1443f4e46bba7709ba79298ab288328
SHA256

5af62720d9119f381d88dc30ef6e7a71aca7428f4ad54721f1ffa253a1231546
SHA512

510da9fb18b83eeeef3c0f917da3788601ca4fb6f14c0b5e92c1e8574c6ee7ce4817d4454db4e7b18be2725b7636b4d8a8a1a4de2cb500a6d7444d03a5c1d9c7
SSDEEP

3072:VfOoAcE+GtMBCTk7yq0LtE1bUEaehKackNo/6:VfOoI+GtMB1WtE1bdC7kN

Score

10^/10

redline infostealer

Malware Config

Extracted

Family

redline

79.137.192.9:19788

Attributes

auth_value
d7d6e6b0afe836c96a3aee94b2b51dd3

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

2eb435e7827a8260b08a29a03e4652b6.exe

description pid process target process

PID 4908 set thread context of 4748 4908 2eb435e7827a8260b08a29a03e4652b6.exe vbc.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1876 4908 WerFault.exe 2eb435e7827a8260b08a29a03e4652b6.exe
4680 4908 WerFault.exe 2eb435e7827a8260b08a29a03e4652b6.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

4748 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 4748 vbc.exe

description	pid	process	target process
PID 4908 set thread context of 4748	4908	2eb435e7827a8260b08a29a03e4652b6.exe	vbc.exe

pid	pid_target	process	target process
1876	4908	WerFault.exe	2eb435e7827a8260b08a29a03e4652b6.exe
4680	4908	WerFault.exe	2eb435e7827a8260b08a29a03e4652b6.exe

pid	process
4748	vbc.exe

description	pid	process
Token: SeDebugPrivilege	4748	vbc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2eb435e7827a8260b08a29a03e4652b6.exe

description	pid	process	target process
PID 4908 wrote to memory of 4748	4908	2eb435e7827a8260b08a29a03e4652b6.exe	vbc.exe
PID 4908 wrote to memory of 4748	4908	2eb435e7827a8260b08a29a03e4652b6.exe	vbc.exe
PID 4908 wrote to memory of 4748	4908	2eb435e7827a8260b08a29a03e4652b6.exe	vbc.exe
PID 4908 wrote to memory of 4748	4908	2eb435e7827a8260b08a29a03e4652b6.exe	vbc.exe
PID 4908 wrote to memory of 4748	4908	2eb435e7827a8260b08a29a03e4652b6.exe	vbc.exe
PID 4908 wrote to memory of 1876	4908	2eb435e7827a8260b08a29a03e4652b6.exe	WerFault.exe
PID 4908 wrote to memory of 1876	4908	2eb435e7827a8260b08a29a03e4652b6.exe	WerFault.exe
PID 4908 wrote to memory of 1876	4908	2eb435e7827a8260b08a29a03e4652b6.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\2eb435e7827a8260b08a29a03e4652b6.exe
"C:\Users\Admin\AppData\Local\Temp\2eb435e7827a8260b08a29a03e4652b6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 340
2⤵
- Program crash
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 340
2⤵
- Program crash
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4908 -ip 4908
1⤵
PID:4992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1876-138-0x0000000000000000-mapping.dmp

Download
memory/4748-142-0x00000000051E0000-0x000000000521C000-memory.dmp

Filesize
240KB

Download
memory/4748-133-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4748-139-0x0000000005470000-0x0000000005A88000-memory.dmp

Filesize
6.1MB

Download
memory/4748-140-0x0000000005180000-0x0000000005192000-memory.dmp

Filesize
72KB

Download
memory/4748-141-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/4748-132-0x0000000000000000-mapping.dmp

Download
memory/4748-143-0x0000000006240000-0x00000000067E4000-memory.dmp

Filesize
5.6MB

Download
memory/4748-144-0x0000000005C90000-0x0000000005D22000-memory.dmp

Filesize
584KB

Download
memory/4748-145-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/4748-146-0x00000000069C0000-0x0000000006B82000-memory.dmp

Filesize
1.8MB

Download
memory/4748-147-0x00000000070C0000-0x00000000075EC000-memory.dmp

Filesize
5.2MB

Download
memory/4748-148-0x0000000006870000-0x00000000068E6000-memory.dmp

Filesize
472KB

Download