Overview

overview

10

Static

static

driver.exe

windows7-x64

10

driver.exe

windows10-2004-x64

10

Resubmissions

29-11-2022 18:36

221129-w9c14shd6t 10

29-11-2022 18:34

221129-w72axshc5v 10

Analysis

  • max time kernel
    76s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 18:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    driver.exe

  • Size

    2.5MB

  • MD5

    3a3fa6e19b606f700fa5a0d238de8915

  • SHA1

    6211694e6cd50584f368b87f7c69bf2eda502c90

  • SHA256

    1fc42b8450c8ffb2c4189e3064cd08edf0ff3259e9ccbb635dde6ae0782eae1a

  • SHA512

    83c2c913f5147341c5334b05b207715e648b9778f1cd1a7af6888f714e7fe04585ba21cd9440a7a3e8c280c99acc8f8a397a400897ebae0fb0ecb60320eaf48b

  • SSDEEP

    24576:KxTo3fi6zSaHcsFV03AQgs5ehYWTnxoQ/D2+mpS/5sqR91ldaHQqenA4jBmkg1gU:IT22ZePnxogDP/5fF7aHGg0j0

Score
10/10
redlineinfostealerspyware

Malware Config

Extracted

Family

redline

C2

45.15.157.131:36457

Attributes
  • auth_value

    c3342eec6a24dd88f1e2d37af96605d8

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\driver.exe
    "C:\Users\Admin\AppData\Local\Temp\driver.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1580
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x1dc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1580-54-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1580-56-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1580-61-0x000000000042281E-mapping.dmp
    Download
  • memory/1580-62-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1580-63-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1580-64-0x0000000075D01000-0x0000000075D03000-memory.dmp
    Filesize

    8KB

    Download