redline | 1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d

Analysis

max time kernel
160s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe
Size

802KB
MD5

266531bc43d8aa514ef4ac6bbf06fbce
SHA1

f398542a6db9d63ffaa6b221792b561b045533c9
SHA256

1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d
SHA512

aa35b78c1f374b0585da1cb87ab2f368798cfd9476864efcbd235a02597be46bd6ee66ab170dc328e661b4e68ad8b90c57d544ec704d1b369b5c181be22a8394
SSDEEP

24576:rm5bRpdKx7w7eGXo3G4bZlZDckCo8xvQkf7Rh:m7eGXo2CDckz4vpf7Rh

Score

10^/10

redline @andriii_ff infostealer

Malware Config

Extracted

Family

redline

Botnet

@andriii_ff

176.124.220.67:30929

Attributes

auth_value
525a7ad8080b3552f2f7735af7644111

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe

description pid process target process

PID 448 set thread context of 1684 448 1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe vbc.exe

description	pid	process	target process
PID 448 set thread context of 1684	448	1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe	vbc.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4736	448	WerFault.exe	1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe
3296	448	WerFault.exe	1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe

description	pid	process	target process
PID 448 wrote to memory of 1684	448	1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe	vbc.exe
PID 448 wrote to memory of 1684	448	1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe	vbc.exe
PID 448 wrote to memory of 1684	448	1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe	vbc.exe
PID 448 wrote to memory of 1684	448	1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe	vbc.exe
PID 448 wrote to memory of 1684	448	1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe	vbc.exe
PID 448 wrote to memory of 4736	448	1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe	WerFault.exe
PID 448 wrote to memory of 4736	448	1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe	WerFault.exe
PID 448 wrote to memory of 4736	448	1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe
"C:\Users\Admin\AppData\Local\Temp\1570f6daac9b4567a4c1f68da417ac43adbeadedc94a2ec92d8f6341f08bb85d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 448
2⤵
- Program crash
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 448
2⤵
- Program crash
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 448 -ip 448
1⤵
PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/448-138-0x00000000007D0000-0x000000000089A000-memory.dmp

Filesize
808KB

Download
memory/1684-132-0x0000000000000000-mapping.dmp

Download
memory/1684-133-0x0000000000700000-0x0000000000736000-memory.dmp

Filesize
216KB

Download
memory/1684-140-0x0000000005440000-0x0000000005A58000-memory.dmp

Filesize
6.1MB

Download
memory/1684-141-0x0000000004E20000-0x0000000004E32000-memory.dmp

Filesize
72KB

Download
memory/1684-142-0x0000000004F50000-0x000000000505A000-memory.dmp

Filesize
1.0MB

Download
memory/1684-143-0x0000000004F00000-0x0000000004F3C000-memory.dmp

Filesize
240KB

Download
memory/1684-144-0x0000000005BA0000-0x0000000005C32000-memory.dmp

Filesize
584KB

Download
memory/1684-145-0x00000000061F0000-0x0000000006794000-memory.dmp

Filesize
5.6MB

Download
memory/1684-146-0x00000000053B0000-0x0000000005416000-memory.dmp

Filesize
408KB

Download
memory/4736-139-0x0000000000000000-mapping.dmp

Download