Analysis
-
max time kernel
20s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 14:13
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
6.9MB
-
MD5
5e302b8def2082d2e5f0ac5f9a450558
-
SHA1
92de829105e4cad6e20cbfdf06889bafc6af67a2
-
SHA256
3856bc60e588f715b1338764cc430b359f80b8f04e447db07f149cc4101d800e
-
SHA512
104bb849cbb3b9d9d481a199edc462a79c8a486cca7be46c3232310d26da986585d9077fe206460363343832ee5563065177635c5c95a6b62fcf6fd6d8bc567a
-
SSDEEP
24576:DoRlA41Ob7Wub7Wub7Wub7Wub7Wub7Wub7Wub7Wub7Wub7Wub7Wub7Wub7WS:ol+WsWsWsWsWsWsWsWsWsWsWsWsW
Malware Config
Extracted
redline
@Andriii_ff
185.173.36.94:31511
-
auth_value
a6043973697c5fa0f81dd913cff42254
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 1940 set thread context of 1292 1940 file.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 1292 vbc.exe 1292 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1292 vbc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exedescription pid process target process PID 1940 wrote to memory of 1292 1940 file.exe vbc.exe PID 1940 wrote to memory of 1292 1940 file.exe vbc.exe PID 1940 wrote to memory of 1292 1940 file.exe vbc.exe PID 1940 wrote to memory of 1292 1940 file.exe vbc.exe PID 1940 wrote to memory of 1292 1940 file.exe vbc.exe PID 1940 wrote to memory of 1292 1940 file.exe vbc.exe PID 1940 wrote to memory of 1292 1940 file.exe vbc.exe PID 1940 wrote to memory of 1292 1940 file.exe vbc.exe PID 1940 wrote to memory of 1292 1940 file.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1292-55-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1292-56-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1292-58-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1292-60-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1292-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1292-62-0x000000000041832E-mapping.dmp
-
memory/1292-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1292-66-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1292-67-0x0000000075B41000-0x0000000075B43000-memory.dmpFilesize
8KB
-
memory/1940-54-0x0000000000990000-0x0000000001088000-memory.dmpFilesize
7.0MB