Analysis
-
max time kernel
63s -
max time network
93s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 11:31
Static task
static1
Behavioral task
behavioral1
Sample
1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe
Resource
win10v2004-20221111-en
General
-
Target
1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe
-
Size
802KB
-
MD5
266531bc43d8aa514ef4ac6bbf06fbce
-
SHA1
f398542a6db9d63ffaa6b221792b561b045533c9
-
SHA256
1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d
-
SHA512
aa35b78c1f374b0585da1cb87ab2f368798cfd9476864efcbd235a02597be46bd6ee66ab170dc328e661b4e68ad8b90c57d544ec704d1b369b5c181be22a8394
-
SSDEEP
24576:rm5bRpdKx7w7eGXo3G4bZlZDckCo8xvQkf7Rh:m7eGXo2CDckz4vpf7Rh
Malware Config
Extracted
redline
@andriii_ff
176.124.220.67:30929
-
auth_value
525a7ad8080b3552f2f7735af7644111
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exedescription pid process target process PID 1780 set thread context of 948 1780 1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 620 1780 WerFault.exe 1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 948 vbc.exe 948 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 948 vbc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exedescription pid process target process PID 1780 wrote to memory of 948 1780 1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe vbc.exe PID 1780 wrote to memory of 948 1780 1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe vbc.exe PID 1780 wrote to memory of 948 1780 1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe vbc.exe PID 1780 wrote to memory of 948 1780 1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe vbc.exe PID 1780 wrote to memory of 948 1780 1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe vbc.exe PID 1780 wrote to memory of 948 1780 1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe vbc.exe PID 1780 wrote to memory of 620 1780 1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe WerFault.exe PID 1780 wrote to memory of 620 1780 1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe WerFault.exe PID 1780 wrote to memory of 620 1780 1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe WerFault.exe PID 1780 wrote to memory of 620 1780 1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe"C:\Users\Admin\AppData\Local\Temp\1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 1162⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/620-65-0x0000000000000000-mapping.dmp
-
memory/948-55-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/948-57-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/948-62-0x0000000000416CB2-mapping.dmp
-
memory/948-63-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/948-64-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1780-54-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1780-66-0x0000000000170000-0x000000000023A000-memory.dmpFilesize
808KB