Overview

overview

10

Static

static

driver.exe

windows7-x64

10

driver.exe

windows10-2004-x64

10

Resubmissions

29-11-2022 18:36

221129-w9c14shd6t 10

29-11-2022 18:34

221129-w72axshc5v 10

Analysis

  • max time kernel
    151s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 18:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    driver.exe

  • Size

    2.5MB

  • MD5

    3a3fa6e19b606f700fa5a0d238de8915

  • SHA1

    6211694e6cd50584f368b87f7c69bf2eda502c90

  • SHA256

    1fc42b8450c8ffb2c4189e3064cd08edf0ff3259e9ccbb635dde6ae0782eae1a

  • SHA512

    83c2c913f5147341c5334b05b207715e648b9778f1cd1a7af6888f714e7fe04585ba21cd9440a7a3e8c280c99acc8f8a397a400897ebae0fb0ecb60320eaf48b

  • SSDEEP

    24576:KxTo3fi6zSaHcsFV03AQgs5ehYWTnxoQ/D2+mpS/5sqR91ldaHQqenA4jBmkg1gU:IT22ZePnxogDP/5fF7aHGg0j0

Score
10/10
redlineinfostealer

Malware Config

Extracted

Family

redline

C2

45.15.157.131:36457

Attributes
  • auth_value

    c3342eec6a24dd88f1e2d37af96605d8

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\driver.exe
    "C:\Users\Admin\AppData\Local\Temp\driver.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"
      2⤵
        PID:3924
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:204
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
      1⤵
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Modifies registry class
      PID:4296

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3924-132-0x0000000000000000-mapping.dmp
      Download
    • memory/3924-133-0x00000000005A0000-0x00000000005C8000-memory.dmp
      Filesize

      160KB

      Download
    • memory/3924-138-0x0000000005690000-0x0000000005CA8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3924-139-0x0000000005180000-0x000000000528A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3924-140-0x0000000000F20000-0x0000000000F32000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3924-141-0x0000000005070000-0x00000000050AC000-memory.dmp
      Filesize

      240KB

      Download