Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 17:30
Static task
static1
Behavioral task
behavioral1
Sample
7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe
Resource
win10v2004-20220812-en
General
-
Target
7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe
-
Size
2.5MB
-
MD5
923ef6896659d77fff914a9ec8e89fa9
-
SHA1
4ea7406c2c960f81e4db6e8891d426181692de39
-
SHA256
7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e
-
SHA512
95364df4761013aaac4051299566cbb6392cae6136949526f7219660f3461634bda86f469ae0f8d96b209fd0cce83cb4b914998992fca8efa6f8bcd5695db29a
-
SSDEEP
24576:1RjcXgYLSaH8MlV0/AGQsHE9iWJnVo2FDq6mZC/36Kp/letoreojRqk4vgtYVuQJ:Ljh3E7nVoYDv/3Dpf4qYV
Malware Config
Extracted
redline
@P1
193.106.191.138:32796
-
auth_value
54c79ce081122137049ee07c0a2f38ab
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2668-133-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3A904DC4-5846-484A-99FF-508FA33026A0}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B1EAA8E1-798B-40D9-9B4B-CC02B7D257C3}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exedescription pid process target process PID 1544 set thread context of 2668 1544 7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe vbc.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 2668 vbc.exe 2668 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 2668 vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exedescription pid process target process PID 1544 wrote to memory of 2668 1544 7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe vbc.exe PID 1544 wrote to memory of 2668 1544 7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe vbc.exe PID 1544 wrote to memory of 2668 1544 7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe vbc.exe PID 1544 wrote to memory of 2668 1544 7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe vbc.exe PID 1544 wrote to memory of 2668 1544 7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe"C:\Users\Admin\AppData\Local\Temp\7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2668-132-0x0000000000000000-mapping.dmp
-
memory/2668-133-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2668-138-0x0000000005E20000-0x0000000006438000-memory.dmpFilesize
6.1MB
-
memory/2668-139-0x00000000077B0000-0x00000000078BA000-memory.dmpFilesize
1.0MB
-
memory/2668-140-0x0000000005DF0000-0x0000000005E02000-memory.dmpFilesize
72KB
-
memory/2668-141-0x0000000008100000-0x000000000813C000-memory.dmpFilesize
240KB
-
memory/2668-142-0x0000000005730000-0x0000000005796000-memory.dmpFilesize
408KB
-
memory/2668-143-0x0000000008190000-0x0000000008734000-memory.dmpFilesize
5.6MB
-
memory/2668-144-0x0000000007960000-0x00000000079F2000-memory.dmpFilesize
584KB
-
memory/2668-145-0x0000000007CD0000-0x0000000007E92000-memory.dmpFilesize
1.8MB
-
memory/2668-146-0x0000000008C70000-0x000000000919C000-memory.dmpFilesize
5.2MB
-
memory/2668-147-0x0000000005920000-0x0000000005996000-memory.dmpFilesize
472KB
-
memory/2668-148-0x00000000059A0000-0x00000000059F0000-memory.dmpFilesize
320KB