Analysis
-
max time kernel
56s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 03:51
Static task
static1
Behavioral task
behavioral1
Sample
8cfb86773ea88895989f96e052a15870.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8cfb86773ea88895989f96e052a15870.exe
Resource
win10v2004-20221111-en
General
-
Target
8cfb86773ea88895989f96e052a15870.exe
-
Size
277KB
-
MD5
8cfb86773ea88895989f96e052a15870
-
SHA1
c2d66030602cf9f59cb6bf55fe3917478e9e07bf
-
SHA256
6ae110bb6a1d79cc8090a55f52e0634997e378c13354d026c8443288942935f0
-
SHA512
9b1c9446d62451b5357872a80dd9241ca3b7f95333686337a6ade59e06103e645591c8944043e399f7dfa5e5c1a8bc8aece5e27b0c3999e54ee2259f6182bdcd
-
SSDEEP
3072:fLjO3Xj0I/hH3RvM+4UU5i7SVx/n8p+izFgTWH+KxO:fLS3Xj0I/4nFzP8p+z
Malware Config
Extracted
redline
@2023
79.137.192.28:20723
-
auth_value
93b4b7d0dc8e9415e261a402587c6710
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
8cfb86773ea88895989f96e052a15870.exedescription pid process target process PID 1780 set thread context of 1252 1780 8cfb86773ea88895989f96e052a15870.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 920 1780 WerFault.exe 8cfb86773ea88895989f96e052a15870.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 1252 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1252 vbc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
8cfb86773ea88895989f96e052a15870.exedescription pid process target process PID 1780 wrote to memory of 1252 1780 8cfb86773ea88895989f96e052a15870.exe vbc.exe PID 1780 wrote to memory of 1252 1780 8cfb86773ea88895989f96e052a15870.exe vbc.exe PID 1780 wrote to memory of 1252 1780 8cfb86773ea88895989f96e052a15870.exe vbc.exe PID 1780 wrote to memory of 1252 1780 8cfb86773ea88895989f96e052a15870.exe vbc.exe PID 1780 wrote to memory of 1252 1780 8cfb86773ea88895989f96e052a15870.exe vbc.exe PID 1780 wrote to memory of 1252 1780 8cfb86773ea88895989f96e052a15870.exe vbc.exe PID 1780 wrote to memory of 920 1780 8cfb86773ea88895989f96e052a15870.exe WerFault.exe PID 1780 wrote to memory of 920 1780 8cfb86773ea88895989f96e052a15870.exe WerFault.exe PID 1780 wrote to memory of 920 1780 8cfb86773ea88895989f96e052a15870.exe WerFault.exe PID 1780 wrote to memory of 920 1780 8cfb86773ea88895989f96e052a15870.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cfb86773ea88895989f96e052a15870.exe"C:\Users\Admin\AppData\Local\Temp\8cfb86773ea88895989f96e052a15870.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 362⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/920-65-0x0000000000000000-mapping.dmp
-
memory/1252-55-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1252-57-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1252-62-0x000000000041B5D2-mapping.dmp
-
memory/1252-64-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1252-63-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1780-54-0x0000000075991000-0x0000000075993000-memory.dmpFilesize
8KB