redline | 8845215ed3299ff3381580ab3c1e1feb69d8c44361bc15d64b57a597147a74c7

Analysis

max time kernel
90s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c7867a1749edef10274f3e34b047865.exe
Size

510KB
MD5

2c7867a1749edef10274f3e34b047865
SHA1

c2009f052e54f3c788e1872e7ac6f4d5fea218f9
SHA256

8845215ed3299ff3381580ab3c1e1feb69d8c44361bc15d64b57a597147a74c7
SHA512

60b503650f7f4ca7d14cfa7dabc1cda68eee8f0e34800fb160f44b3af9135bf27b15c57e26f19301baa1eb4eb6a6191cfa70d8ca28361db71969f7c0c3435e68
SSDEEP

12288:p7HdieNsYHk31Qb9b01KCgZg7bn8eI3ilumDo+Wxga7oRFL:q31Qxg1K/g7z8r3iC+Qf0L

Score

10^/10

redline yt infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

65.21.5.58:48811

Attributes

auth_value
fb878dde7f3b4ad1e1bc26d24db36d28

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

2c7867a1749edef10274f3e34b047865.exe

description pid process target process

PID 4708 set thread context of 4164 4708 2c7867a1749edef10274f3e34b047865.exe vbc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4700 4708 WerFault.exe 2c7867a1749edef10274f3e34b047865.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

4164 vbc.exe
4164 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 4164 vbc.exe

description	pid	process	target process
PID 4708 set thread context of 4164	4708	2c7867a1749edef10274f3e34b047865.exe	vbc.exe

pid	pid_target	process	target process
4700	4708	WerFault.exe	2c7867a1749edef10274f3e34b047865.exe

pid	process
4164	vbc.exe
4164	vbc.exe

description	pid	process
Token: SeDebugPrivilege	4164	vbc.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

2c7867a1749edef10274f3e34b047865.exe

description	pid	process	target process
PID 4708 wrote to memory of 4164	4708	2c7867a1749edef10274f3e34b047865.exe	vbc.exe
PID 4708 wrote to memory of 4164	4708	2c7867a1749edef10274f3e34b047865.exe	vbc.exe
PID 4708 wrote to memory of 4164	4708	2c7867a1749edef10274f3e34b047865.exe	vbc.exe
PID 4708 wrote to memory of 4164	4708	2c7867a1749edef10274f3e34b047865.exe	vbc.exe
PID 4708 wrote to memory of 4164	4708	2c7867a1749edef10274f3e34b047865.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\2c7867a1749edef10274f3e34b047865.exe
"C:\Users\Admin\AppData\Local\Temp\2c7867a1749edef10274f3e34b047865.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 508
2⤵
- Program crash
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4708 -ip 4708
1⤵
PID:5048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4164-132-0x0000000000000000-mapping.dmp

Download
memory/4164-133-0x0000000000970000-0x00000000009A2000-memory.dmp

Filesize
200KB

Download
memory/4164-138-0x0000000005380000-0x0000000005998000-memory.dmp

Filesize
6.1MB

Download
memory/4164-139-0x0000000004F00000-0x000000000500A000-memory.dmp

Filesize
1.0MB

Download
memory/4164-140-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/4164-141-0x0000000004E90000-0x0000000004ECC000-memory.dmp

Filesize
240KB

Download
memory/4164-142-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download
memory/4164-143-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/4164-144-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/4164-145-0x0000000007AA0000-0x0000000007C62000-memory.dmp

Filesize
1.8MB

Download
memory/4164-146-0x00000000081A0000-0x00000000086CC000-memory.dmp

Filesize
5.2MB

Download