Analysis
-
max time kernel
112s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 02:46
Static task
static1
Behavioral task
behavioral1
Sample
4f7358c27ddf88af37f87127239aaa97.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4f7358c27ddf88af37f87127239aaa97.exe
Resource
win10v2004-20220812-en
General
-
Target
4f7358c27ddf88af37f87127239aaa97.exe
-
Size
277KB
-
MD5
4f7358c27ddf88af37f87127239aaa97
-
SHA1
e6c66e755ad804b66a12d92c88cfe4465bd64710
-
SHA256
80a57a2c22e7ea3318f2027af5d4fb57ecc76a0de5236c087b9554b739350aa6
-
SHA512
d9a9b73ee1ae0ff73915ab6c26f9a347f038b4df2fa3a240be287f83400f67fa9f66d39867132d08aa1f1daa3aee36f60194fdc448333f1e8ec7e6f2e2d41fbd
-
SSDEEP
3072:HLjOBXj0I/hH3RvM+4UU5i7SVx/n8p+izFgTWK+zxO:HLSBXj0I/4nFzP8p+/
Malware Config
Extracted
redline
@2023
79.137.192.28:20723
-
auth_value
93b4b7d0dc8e9415e261a402587c6710
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
4f7358c27ddf88af37f87127239aaa97.exedescription pid process target process PID 3016 set thread context of 4920 3016 4f7358c27ddf88af37f87127239aaa97.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4148 3016 WerFault.exe 4f7358c27ddf88af37f87127239aaa97.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 4920 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 4920 vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
4f7358c27ddf88af37f87127239aaa97.exedescription pid process target process PID 3016 wrote to memory of 4920 3016 4f7358c27ddf88af37f87127239aaa97.exe vbc.exe PID 3016 wrote to memory of 4920 3016 4f7358c27ddf88af37f87127239aaa97.exe vbc.exe PID 3016 wrote to memory of 4920 3016 4f7358c27ddf88af37f87127239aaa97.exe vbc.exe PID 3016 wrote to memory of 4920 3016 4f7358c27ddf88af37f87127239aaa97.exe vbc.exe PID 3016 wrote to memory of 4920 3016 4f7358c27ddf88af37f87127239aaa97.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f7358c27ddf88af37f87127239aaa97.exe"C:\Users\Admin\AppData\Local\Temp\4f7358c27ddf88af37f87127239aaa97.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 4202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3016 -ip 30161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4920-132-0x0000000000000000-mapping.dmp
-
memory/4920-133-0x0000000000260000-0x0000000000292000-memory.dmpFilesize
200KB
-
memory/4920-138-0x0000000005AB0000-0x00000000060C8000-memory.dmpFilesize
6.1MB
-
memory/4920-139-0x00000000060D0000-0x00000000061DA000-memory.dmpFilesize
1.0MB
-
memory/4920-140-0x0000000007490000-0x00000000074A2000-memory.dmpFilesize
72KB
-
memory/4920-141-0x0000000007570000-0x00000000075AC000-memory.dmpFilesize
240KB
-
memory/4920-142-0x0000000007F00000-0x0000000007F66000-memory.dmpFilesize
408KB
-
memory/4920-143-0x0000000008520000-0x0000000008AC4000-memory.dmpFilesize
5.6MB
-
memory/4920-144-0x0000000008010000-0x00000000080A2000-memory.dmpFilesize
584KB
-
memory/4920-145-0x0000000008280000-0x0000000008442000-memory.dmpFilesize
1.8MB
-
memory/4920-146-0x0000000009000000-0x000000000952C000-memory.dmpFilesize
5.2MB