Analysis
-
max time kernel
91s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 13:14
Static task
static1
Behavioral task
behavioral1
Sample
5jk29l2fg.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5jk29l2fg.exe
Resource
win10v2004-20220901-en
General
-
Target
5jk29l2fg.exe
-
Size
787KB
-
MD5
abacca218986209482f20ed9772c4cf4
-
SHA1
2398f39d3a0007ed0fbb5af7a26e4ccce249af9f
-
SHA256
a404da44d49619445b10db9dad87e04456aa18ec88e9fc9ee328e40d8bbf479d
-
SHA512
5a834ae01248f8aac8aa198435d9fb71da3d26fcc23cd66faf1d29dc85a8bdb56464aed336494ea51eef8258fed08ba93cea3bf0f9882961bb4e40d20144afd6
-
SSDEEP
12288:aRyl9Dlkb72176sw/umQ6mGiBEswKK31OtUb0tx4H2cdI54XuHTnY6A0Zre:ayl9xkb72176s+o431Oab0tx4Wj4Z
Malware Config
Extracted
redline
new2811
jamesmillion.xyz:15772
-
auth_value
86a08d2c48d5c5db0c9cb371fb180937
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
5jk29l2fg.exedescription pid process target process PID 4832 set thread context of 1664 4832 5jk29l2fg.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2804 4832 WerFault.exe 5jk29l2fg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 1664 vbc.exe 1664 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1664 vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
5jk29l2fg.exedescription pid process target process PID 4832 wrote to memory of 1664 4832 5jk29l2fg.exe vbc.exe PID 4832 wrote to memory of 1664 4832 5jk29l2fg.exe vbc.exe PID 4832 wrote to memory of 1664 4832 5jk29l2fg.exe vbc.exe PID 4832 wrote to memory of 1664 4832 5jk29l2fg.exe vbc.exe PID 4832 wrote to memory of 1664 4832 5jk29l2fg.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5jk29l2fg.exe"C:\Users\Admin\AppData\Local\Temp\5jk29l2fg.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 2402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4832 -ip 48321⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1664-145-0x0000000005950000-0x000000000598C000-memory.dmpFilesize
240KB
-
memory/1664-147-0x0000000006DC0000-0x0000000007364000-memory.dmpFilesize
5.6MB
-
memory/1664-153-0x0000000007C40000-0x000000000816C000-memory.dmpFilesize
5.2MB
-
memory/1664-142-0x0000000005EF0000-0x0000000006508000-memory.dmpFilesize
6.1MB
-
memory/1664-143-0x00000000058F0000-0x0000000005902000-memory.dmpFilesize
72KB
-
memory/1664-144-0x0000000005A20000-0x0000000005B2A000-memory.dmpFilesize
1.0MB
-
memory/1664-136-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1664-146-0x0000000005CD0000-0x0000000005D36000-memory.dmpFilesize
408KB
-
memory/1664-135-0x0000000000000000-mapping.dmp
-
memory/1664-148-0x00000000068B0000-0x0000000006942000-memory.dmpFilesize
584KB
-
memory/1664-149-0x0000000006950000-0x00000000069C6000-memory.dmpFilesize
472KB
-
memory/1664-150-0x0000000006850000-0x000000000686E000-memory.dmpFilesize
120KB
-
memory/1664-151-0x0000000006AC0000-0x0000000006B10000-memory.dmpFilesize
320KB
-
memory/1664-152-0x0000000007540000-0x0000000007702000-memory.dmpFilesize
1.8MB
-
memory/4832-141-0x0000000000D90000-0x0000000000E58000-memory.dmpFilesize
800KB