Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2022 08:21
Static task
static1
Behavioral task
behavioral1
Sample
8dbb3c2f474bf759840892da1e348fa6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8dbb3c2f474bf759840892da1e348fa6.exe
Resource
win10v2004-20220812-en
General
-
Target
8dbb3c2f474bf759840892da1e348fa6.exe
-
Size
398KB
-
MD5
8dbb3c2f474bf759840892da1e348fa6
-
SHA1
cef87545c579f1ed36dbdee7a1785235e5ca728b
-
SHA256
9a48ec1ff7995f724b479d97b0fd21fc0ee9c6c1598a39192ec677b648087602
-
SHA512
7ca5a23428706c8a9f9b176f0fba902eb70c2dd6edc21d6d19cfa735e4e5186555146c122a13753159060b130f10c01437b67ea268c1ae6b61c7e93c9f52099f
-
SSDEEP
6144:6ygxer6dluLigEBBY2o1FhZRVPjGAOryQjVDKHu2Sxhvh4OjSn7yGP7:6ygxer6dluLigEZoNZa9PRDKu2kELP7
Malware Config
Extracted
redline
11
79.137.202.18:45218
-
auth_value
107e09eee63158d2488feb03dac75204
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
8dbb3c2f474bf759840892da1e348fa6.exedescription pid process target process PID 4652 set thread context of 2348 4652 8dbb3c2f474bf759840892da1e348fa6.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3756 4652 WerFault.exe 8dbb3c2f474bf759840892da1e348fa6.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 2348 vbc.exe 2348 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 2348 vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
8dbb3c2f474bf759840892da1e348fa6.exedescription pid process target process PID 4652 wrote to memory of 2348 4652 8dbb3c2f474bf759840892da1e348fa6.exe vbc.exe PID 4652 wrote to memory of 2348 4652 8dbb3c2f474bf759840892da1e348fa6.exe vbc.exe PID 4652 wrote to memory of 2348 4652 8dbb3c2f474bf759840892da1e348fa6.exe vbc.exe PID 4652 wrote to memory of 2348 4652 8dbb3c2f474bf759840892da1e348fa6.exe vbc.exe PID 4652 wrote to memory of 2348 4652 8dbb3c2f474bf759840892da1e348fa6.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dbb3c2f474bf759840892da1e348fa6.exe"C:\Users\Admin\AppData\Local\Temp\8dbb3c2f474bf759840892da1e348fa6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4652 -ip 46521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2348-132-0x0000000000000000-mapping.dmp
-
memory/2348-133-0x0000000000150000-0x0000000000182000-memory.dmpFilesize
200KB
-
memory/2348-138-0x0000000005270000-0x0000000005888000-memory.dmpFilesize
6.1MB
-
memory/2348-139-0x0000000004DB0000-0x0000000004EBA000-memory.dmpFilesize
1.0MB
-
memory/2348-140-0x0000000004CE0000-0x0000000004CF2000-memory.dmpFilesize
72KB
-
memory/2348-141-0x0000000004D40000-0x0000000004D7C000-memory.dmpFilesize
240KB
-
memory/2348-142-0x0000000005050000-0x00000000050B6000-memory.dmpFilesize
408KB
-
memory/2348-143-0x0000000006140000-0x00000000066E4000-memory.dmpFilesize
5.6MB
-
memory/2348-144-0x0000000005C70000-0x0000000005D02000-memory.dmpFilesize
584KB
-
memory/2348-145-0x0000000005D10000-0x0000000005D86000-memory.dmpFilesize
472KB
-
memory/2348-146-0x0000000005D90000-0x0000000005DE0000-memory.dmpFilesize
320KB
-
memory/2348-147-0x00000000068C0000-0x0000000006A82000-memory.dmpFilesize
1.8MB
-
memory/2348-148-0x00000000078D0000-0x0000000007DFC000-memory.dmpFilesize
5.2MB