redline | 5fe8b7e7186be5d134d9f43983ac828f9ee887e8aa9a86ea3c5503ef9d21a000

Analysis

max time kernel
280s
max time network
361s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ae3cd42221f79b8983f9fd9229e0ca596216b0e49e55efebbd74a3f2d063ca3.exe
Size

239KB
MD5

23c4734c50d1f9cbce8d70727e13f3ee
SHA1

131d853550261411d3b5514bb8e7e41f36d38962
SHA256

8ae3cd42221f79b8983f9fd9229e0ca596216b0e49e55efebbd74a3f2d063ca3
SHA512

6b182b14ba22bc0a992b23249d26c5f48d304b9a98a60f1dbfddf641a2ea363621224ed4178dac66393e3fdebfc51079411fadb3b1bc32dd919010c19751369c
SSDEEP

3072:Hx+Kgbyg6H8xK/q+PwjUoHp0DCe8K/1IzKbVR4TfGRrhqZIATc6mTxO:Hx+KgWg5Kq+PwQoHp0DoK2KJSTfqrhml

Score

10^/10

redline @p1 infostealer

Malware Config

Extracted

Family

redline

Botnet

@P1

193.106.191.138:32796

Attributes

auth_value
54c79ce081122137049ee07c0a2f38ab

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1880-133-0x0000000000500000-0x0000000000528000-memory.dmp	family_redline

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

8ae3cd42221f79b8983f9fd9229e0ca596216b0e49e55efebbd74a3f2d063ca3.exe

description	pid	process	target process
PID 2072 set thread context of 1880	2072	8ae3cd42221f79b8983f9fd9229e0ca596216b0e49e55efebbd74a3f2d063ca3.exe	vbc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3880 2072 WerFault.exe 8ae3cd42221f79b8983f9fd9229e0ca596216b0e49e55efebbd74a3f2d063ca3.exe

pid	pid_target	process	target process
3880	2072	WerFault.exe	8ae3cd42221f79b8983f9fd9229e0ca596216b0e49e55efebbd74a3f2d063ca3.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

8ae3cd42221f79b8983f9fd9229e0ca596216b0e49e55efebbd74a3f2d063ca3.exe

description	pid	process	target process
PID 2072 wrote to memory of 1880	2072	8ae3cd42221f79b8983f9fd9229e0ca596216b0e49e55efebbd74a3f2d063ca3.exe	vbc.exe
PID 2072 wrote to memory of 1880	2072	8ae3cd42221f79b8983f9fd9229e0ca596216b0e49e55efebbd74a3f2d063ca3.exe	vbc.exe
PID 2072 wrote to memory of 1880	2072	8ae3cd42221f79b8983f9fd9229e0ca596216b0e49e55efebbd74a3f2d063ca3.exe	vbc.exe
PID 2072 wrote to memory of 1880	2072	8ae3cd42221f79b8983f9fd9229e0ca596216b0e49e55efebbd74a3f2d063ca3.exe	vbc.exe
PID 2072 wrote to memory of 1880	2072	8ae3cd42221f79b8983f9fd9229e0ca596216b0e49e55efebbd74a3f2d063ca3.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\8ae3cd42221f79b8983f9fd9229e0ca596216b0e49e55efebbd74a3f2d063ca3.exe
"C:\Users\Admin\AppData\Local\Temp\8ae3cd42221f79b8983f9fd9229e0ca596216b0e49e55efebbd74a3f2d063ca3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 348
  2⤵
  - Program crash
  PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2072 -ip 2072
1⤵
PID:2164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1880-132-0x0000000000000000-mapping.dmp

Download
memory/1880-133-0x0000000000500000-0x0000000000528000-memory.dmp

Filesize
160KB

Download
memory/1880-138-0x0000000005900000-0x0000000005F18000-memory.dmp

Filesize
6.1MB

Download
memory/1880-139-0x0000000007290000-0x000000000739A000-memory.dmp

Filesize
1.0MB

Download
memory/1880-140-0x0000000005150000-0x0000000005162000-memory.dmp

Filesize
72KB

Download
memory/1880-141-0x0000000005320000-0x000000000535C000-memory.dmp

Filesize
240KB

Download