Analysis
-
max time kernel
45s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 02:46
Static task
static1
Behavioral task
behavioral1
Sample
4f7358c27ddf88af37f87127239aaa97.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4f7358c27ddf88af37f87127239aaa97.exe
Resource
win10v2004-20220812-en
General
-
Target
4f7358c27ddf88af37f87127239aaa97.exe
-
Size
277KB
-
MD5
4f7358c27ddf88af37f87127239aaa97
-
SHA1
e6c66e755ad804b66a12d92c88cfe4465bd64710
-
SHA256
80a57a2c22e7ea3318f2027af5d4fb57ecc76a0de5236c087b9554b739350aa6
-
SHA512
d9a9b73ee1ae0ff73915ab6c26f9a347f038b4df2fa3a240be287f83400f67fa9f66d39867132d08aa1f1daa3aee36f60194fdc448333f1e8ec7e6f2e2d41fbd
-
SSDEEP
3072:HLjOBXj0I/hH3RvM+4UU5i7SVx/n8p+izFgTWK+zxO:HLSBXj0I/4nFzP8p+/
Malware Config
Extracted
redline
@2023
79.137.192.28:20723
-
auth_value
93b4b7d0dc8e9415e261a402587c6710
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
4f7358c27ddf88af37f87127239aaa97.exedescription pid process target process PID 1808 set thread context of 268 1808 4f7358c27ddf88af37f87127239aaa97.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1304 1808 WerFault.exe 4f7358c27ddf88af37f87127239aaa97.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 268 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 268 vbc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
4f7358c27ddf88af37f87127239aaa97.exedescription pid process target process PID 1808 wrote to memory of 268 1808 4f7358c27ddf88af37f87127239aaa97.exe vbc.exe PID 1808 wrote to memory of 268 1808 4f7358c27ddf88af37f87127239aaa97.exe vbc.exe PID 1808 wrote to memory of 268 1808 4f7358c27ddf88af37f87127239aaa97.exe vbc.exe PID 1808 wrote to memory of 268 1808 4f7358c27ddf88af37f87127239aaa97.exe vbc.exe PID 1808 wrote to memory of 268 1808 4f7358c27ddf88af37f87127239aaa97.exe vbc.exe PID 1808 wrote to memory of 268 1808 4f7358c27ddf88af37f87127239aaa97.exe vbc.exe PID 1808 wrote to memory of 1304 1808 4f7358c27ddf88af37f87127239aaa97.exe WerFault.exe PID 1808 wrote to memory of 1304 1808 4f7358c27ddf88af37f87127239aaa97.exe WerFault.exe PID 1808 wrote to memory of 1304 1808 4f7358c27ddf88af37f87127239aaa97.exe WerFault.exe PID 1808 wrote to memory of 1304 1808 4f7358c27ddf88af37f87127239aaa97.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f7358c27ddf88af37f87127239aaa97.exe"C:\Users\Admin\AppData\Local\Temp\4f7358c27ddf88af37f87127239aaa97.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 362⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-55-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/268-57-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/268-62-0x000000000041B5D2-mapping.dmp
-
memory/268-63-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/268-64-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1304-65-0x0000000000000000-mapping.dmp
-
memory/1808-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB