redline | bfc21a2c0ed5360d39fe4729de7ed32c484c79e4aaa9a983b3872d7e2adae58a

Analysis

max time kernel
151s
max time network
153s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
06-12-2022 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfc21a2c0ed5360d39fe4729de7ed32c484c79e4aaa9a983b3872d7e2adae58a.exe
Size

239KB
MD5

7988905093b955b69c7780ad48ad35db
SHA1

0bb8132a0d8b43eaf84097e6d7ac1321030432ca
SHA256

bfc21a2c0ed5360d39fe4729de7ed32c484c79e4aaa9a983b3872d7e2adae58a
SHA512

24d09b974393b14ed079102d04a6cd4fcf69d00a592ce67fa212edcb15efd687f901f3a93dea0d906f8d09492160ba8dc002a9b671af2215b7a08b3d1250c1ef
SSDEEP

3072:Ox+wgbyg6H8xK/q+PwjUoHp0DCe8K/1IzKbVR4TfGRrhqZIATcIm3xO:Ox+wgWg5Kq+PwQoHp0DoK2KJSTfqrhmH

Score

10^/10

redline @p1 infostealer

Malware Config

Extracted

Family

redline

Botnet

@P1

193.106.191.138:32796

Attributes

auth_value
54c79ce081122137049ee07c0a2f38ab

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3120-156-0x00000000004221CA-mapping.dmp	family_redline
behavioral1/memory/3120-151-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

bfc21a2c0ed5360d39fe4729de7ed32c484c79e4aaa9a983b3872d7e2adae58a.exe

description	pid	process	target process
PID 4112 set thread context of 3120	4112	bfc21a2c0ed5360d39fe4729de7ed32c484c79e4aaa9a983b3872d7e2adae58a.exe	vbc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1660 4112 WerFault.exe bfc21a2c0ed5360d39fe4729de7ed32c484c79e4aaa9a983b3872d7e2adae58a.exe
Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

vbc.exe

pid process

3120 vbc.exe
3120 vbc.exe
3120 vbc.exe
3120 vbc.exe
3120 vbc.exe
3120 vbc.exe
3120 vbc.exe
3120 vbc.exe
3120 vbc.exe
3120 vbc.exe
3120 vbc.exe
3120 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 3120 vbc.exe

pid	pid_target	process	target process
1660	4112	WerFault.exe	bfc21a2c0ed5360d39fe4729de7ed32c484c79e4aaa9a983b3872d7e2adae58a.exe

pid	process
3120	vbc.exe
3120	vbc.exe
3120	vbc.exe
3120	vbc.exe
3120	vbc.exe
3120	vbc.exe
3120	vbc.exe
3120	vbc.exe
3120	vbc.exe
3120	vbc.exe
3120	vbc.exe
3120	vbc.exe

description	pid	process
Token: SeDebugPrivilege	3120	vbc.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

bfc21a2c0ed5360d39fe4729de7ed32c484c79e4aaa9a983b3872d7e2adae58a.exe

description	pid	process	target process
PID 4112 wrote to memory of 3120	4112	bfc21a2c0ed5360d39fe4729de7ed32c484c79e4aaa9a983b3872d7e2adae58a.exe	vbc.exe
PID 4112 wrote to memory of 3120	4112	bfc21a2c0ed5360d39fe4729de7ed32c484c79e4aaa9a983b3872d7e2adae58a.exe	vbc.exe
PID 4112 wrote to memory of 3120	4112	bfc21a2c0ed5360d39fe4729de7ed32c484c79e4aaa9a983b3872d7e2adae58a.exe	vbc.exe
PID 4112 wrote to memory of 3120	4112	bfc21a2c0ed5360d39fe4729de7ed32c484c79e4aaa9a983b3872d7e2adae58a.exe	vbc.exe
PID 4112 wrote to memory of 3120	4112	bfc21a2c0ed5360d39fe4729de7ed32c484c79e4aaa9a983b3872d7e2adae58a.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\bfc21a2c0ed5360d39fe4729de7ed32c484c79e4aaa9a983b3872d7e2adae58a.exe
"C:\Users\Admin\AppData\Local\Temp\bfc21a2c0ed5360d39fe4729de7ed32c484c79e4aaa9a983b3872d7e2adae58a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 504
2⤵
- Program crash
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3120-177-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-181-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-254-0x000000000D2D0000-0x000000000D7FC000-memory.dmp

Filesize
5.2MB

Download
memory/3120-159-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-253-0x000000000C670000-0x000000000C832000-memory.dmp

Filesize
1.8MB

Download
memory/3120-158-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-242-0x000000000C260000-0x000000000C2C6000-memory.dmp

Filesize
408KB

Download
memory/3120-238-0x000000000C8A0000-0x000000000CD9E000-memory.dmp

Filesize
5.0MB

Download
memory/3120-237-0x000000000C300000-0x000000000C392000-memory.dmp

Filesize
584KB

Download
memory/3120-229-0x000000000B820000-0x000000000B86B000-memory.dmp

Filesize
300KB

Download
memory/3120-227-0x000000000B7E0000-0x000000000B81E000-memory.dmp

Filesize
248KB

Download
memory/3120-225-0x000000000B780000-0x000000000B792000-memory.dmp

Filesize
72KB

Download
memory/3120-218-0x000000000B5C0000-0x000000000B6CA000-memory.dmp

Filesize
1.0MB

Download
memory/3120-215-0x0000000009E70000-0x000000000A476000-memory.dmp

Filesize
6.0MB

Download
memory/3120-186-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-185-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-184-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-183-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-160-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-166-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-182-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-180-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-179-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-178-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-176-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-175-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-174-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-173-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-172-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-171-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-170-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-156-0x00000000004221CA-mapping.dmp

Download
memory/3120-151-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3120-157-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-169-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-167-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-168-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-161-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-163-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/3120-164-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-138-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-121-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-125-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-123-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-150-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-149-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-148-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-147-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-146-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-145-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-144-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-120-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-143-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-142-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-141-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-140-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-139-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-137-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-136-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-135-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-134-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-133-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-132-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-131-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-130-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-129-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-128-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-127-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-126-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-124-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4112-122-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download