Analysis
-
max time kernel
52s -
max time network
60s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 14:20
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
6.9MB
-
MD5
5e302b8def2082d2e5f0ac5f9a450558
-
SHA1
92de829105e4cad6e20cbfdf06889bafc6af67a2
-
SHA256
3856bc60e588f715b1338764cc430b359f80b8f04e447db07f149cc4101d800e
-
SHA512
104bb849cbb3b9d9d481a199edc462a79c8a486cca7be46c3232310d26da986585d9077fe206460363343832ee5563065177635c5c95a6b62fcf6fd6d8bc567a
-
SSDEEP
24576:DoRlA41Ob7Wub7Wub7Wub7Wub7Wub7Wub7Wub7Wub7Wub7Wub7Wub7Wub7WS:ol+WsWsWsWsWsWsWsWsWsWsWsWsW
Malware Config
Extracted
redline
@Andriii_ff
185.173.36.94:31511
-
auth_value
a6043973697c5fa0f81dd913cff42254
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 1380 set thread context of 1044 1380 file.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 1044 vbc.exe 1044 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1044 vbc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exedescription pid process target process PID 1380 wrote to memory of 1044 1380 file.exe vbc.exe PID 1380 wrote to memory of 1044 1380 file.exe vbc.exe PID 1380 wrote to memory of 1044 1380 file.exe vbc.exe PID 1380 wrote to memory of 1044 1380 file.exe vbc.exe PID 1380 wrote to memory of 1044 1380 file.exe vbc.exe PID 1380 wrote to memory of 1044 1380 file.exe vbc.exe PID 1380 wrote to memory of 1044 1380 file.exe vbc.exe PID 1380 wrote to memory of 1044 1380 file.exe vbc.exe PID 1380 wrote to memory of 1044 1380 file.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1044-55-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1044-56-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1044-58-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1044-60-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1044-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1044-62-0x000000000041832E-mapping.dmp
-
memory/1044-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1044-66-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1044-67-0x0000000075ED1000-0x0000000075ED3000-memory.dmpFilesize
8KB
-
memory/1380-54-0x0000000000FB0000-0x00000000016A8000-memory.dmpFilesize
7.0MB