Analysis
-
max time kernel
45s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 14:12
Static task
static1
Behavioral task
behavioral1
Sample
2c7867a1749edef10274f3e34b047865.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
2c7867a1749edef10274f3e34b047865.exe
Resource
win10v2004-20220901-en
General
-
Target
2c7867a1749edef10274f3e34b047865.exe
-
Size
510KB
-
MD5
2c7867a1749edef10274f3e34b047865
-
SHA1
c2009f052e54f3c788e1872e7ac6f4d5fea218f9
-
SHA256
8845215ed3299ff3381580ab3c1e1feb69d8c44361bc15d64b57a597147a74c7
-
SHA512
60b503650f7f4ca7d14cfa7dabc1cda68eee8f0e34800fb160f44b3af9135bf27b15c57e26f19301baa1eb4eb6a6191cfa70d8ca28361db71969f7c0c3435e68
-
SSDEEP
12288:p7HdieNsYHk31Qb9b01KCgZg7bn8eI3ilumDo+Wxga7oRFL:q31Qxg1K/g7z8r3iC+Qf0L
Malware Config
Extracted
redline
YT
65.21.5.58:48811
-
auth_value
fb878dde7f3b4ad1e1bc26d24db36d28
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
2c7867a1749edef10274f3e34b047865.exedescription pid process target process PID 1340 set thread context of 1036 1340 2c7867a1749edef10274f3e34b047865.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 580 1340 WerFault.exe 2c7867a1749edef10274f3e34b047865.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 1036 vbc.exe 1036 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1036 vbc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
2c7867a1749edef10274f3e34b047865.exedescription pid process target process PID 1340 wrote to memory of 1036 1340 2c7867a1749edef10274f3e34b047865.exe vbc.exe PID 1340 wrote to memory of 1036 1340 2c7867a1749edef10274f3e34b047865.exe vbc.exe PID 1340 wrote to memory of 1036 1340 2c7867a1749edef10274f3e34b047865.exe vbc.exe PID 1340 wrote to memory of 1036 1340 2c7867a1749edef10274f3e34b047865.exe vbc.exe PID 1340 wrote to memory of 1036 1340 2c7867a1749edef10274f3e34b047865.exe vbc.exe PID 1340 wrote to memory of 1036 1340 2c7867a1749edef10274f3e34b047865.exe vbc.exe PID 1340 wrote to memory of 580 1340 2c7867a1749edef10274f3e34b047865.exe WerFault.exe PID 1340 wrote to memory of 580 1340 2c7867a1749edef10274f3e34b047865.exe WerFault.exe PID 1340 wrote to memory of 580 1340 2c7867a1749edef10274f3e34b047865.exe WerFault.exe PID 1340 wrote to memory of 580 1340 2c7867a1749edef10274f3e34b047865.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c7867a1749edef10274f3e34b047865.exe"C:\Users\Admin\AppData\Local\Temp\2c7867a1749edef10274f3e34b047865.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 362⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/580-65-0x0000000000000000-mapping.dmp
-
memory/1036-55-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1036-57-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1036-62-0x000000000041B576-mapping.dmp
-
memory/1036-63-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1036-64-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1340-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB