Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2022 18:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    264KB

  • MD5

    f30fdf64dbff6ade560a29894dfdb758

  • SHA1

    ecc9ec6b0d2e7b4385914b4ad22c2db4447c8789

  • SHA256

    def089cb330e10804e45b5eceb4702974cb9b2011b7160e0ce4c09efba53d6fb

  • SHA512

    8c31d393237779014f67c1c89d597f65c5470a8a98bd4ebeede296d13c722ebfaaefc79e5478475c06e7b50452291d2bab353a9bd97da73361a65adeeab64155

  • SSDEEP

    3072:jSovv6cGn/mfNzy473vg6pO3USAY00D2nxruIFjsXbafErXJKc:jSovyLOfNQCsUSAP/xrFeLafqXJKc

Score
10/10
redlineinstallinfostealerspyware

Malware Config

Extracted

Family

redline

Botnet

Install

C2

142.93.198.232:81

Attributes
  • auth_value

    f9affed97251c08e7a096257ba9edfb2

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:928
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4776
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 296
      2⤵
      • Program crash
      PID:344
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 928 -ip 928
    1⤵
      PID:308

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4776-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4776-133-0x0000000000400000-0x0000000000432000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4776-138-0x0000000005870000-0x0000000005E88000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4776-139-0x0000000005370000-0x000000000547A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4776-140-0x00000000052A0000-0x00000000052B2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4776-141-0x0000000005320000-0x000000000535C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4776-142-0x0000000006610000-0x00000000066A2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4776-143-0x0000000006C60000-0x0000000007204000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4776-144-0x0000000006720000-0x0000000006786000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4776-145-0x0000000008090000-0x0000000008252000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4776-146-0x0000000008790000-0x0000000008CBC000-memory.dmp
      Filesize

      5.2MB

      Download