Analysis
-
max time kernel
90s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2022 08:26
Static task
static1
Behavioral task
behavioral1
Sample
8bcc8f91eac6071e201893b8e24ba3e9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8bcc8f91eac6071e201893b8e24ba3e9.exe
Resource
win10v2004-20221111-en
General
-
Target
8bcc8f91eac6071e201893b8e24ba3e9.exe
-
Size
398KB
-
MD5
8bcc8f91eac6071e201893b8e24ba3e9
-
SHA1
9c5fae6c14e3bf42db272ec2847b338eb7b91dfc
-
SHA256
8e2e0590b0418adf88d487f37a49107538e7e2d243f165845852c3f7ece6a337
-
SHA512
0afa75b87d0ee9d08a3d91d0c0ec905056f155a5d6fe385d7f4b0d9b9caa656f37373ea924205d0e74fb5a8b2ef7ef6d9f55e66842309bcc04c1254d5628ea04
-
SSDEEP
12288:Mygxer6dluLigEZoNZ6RF2Rybootouo7CypP7:GuOdZ6ZyF2Ybootouo7VZ7
Malware Config
Extracted
redline
11
79.137.202.18:45218
-
auth_value
107e09eee63158d2488feb03dac75204
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
8bcc8f91eac6071e201893b8e24ba3e9.exedescription pid process target process PID 2884 set thread context of 4296 2884 8bcc8f91eac6071e201893b8e24ba3e9.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4640 2884 WerFault.exe 8bcc8f91eac6071e201893b8e24ba3e9.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 4296 vbc.exe 4296 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 4296 vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
8bcc8f91eac6071e201893b8e24ba3e9.exedescription pid process target process PID 2884 wrote to memory of 4296 2884 8bcc8f91eac6071e201893b8e24ba3e9.exe vbc.exe PID 2884 wrote to memory of 4296 2884 8bcc8f91eac6071e201893b8e24ba3e9.exe vbc.exe PID 2884 wrote to memory of 4296 2884 8bcc8f91eac6071e201893b8e24ba3e9.exe vbc.exe PID 2884 wrote to memory of 4296 2884 8bcc8f91eac6071e201893b8e24ba3e9.exe vbc.exe PID 2884 wrote to memory of 4296 2884 8bcc8f91eac6071e201893b8e24ba3e9.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bcc8f91eac6071e201893b8e24ba3e9.exe"C:\Users\Admin\AppData\Local\Temp\8bcc8f91eac6071e201893b8e24ba3e9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 4282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2884 -ip 28841⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4296-132-0x0000000000000000-mapping.dmp
-
memory/4296-133-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4296-138-0x00000000059F0000-0x0000000006008000-memory.dmpFilesize
6.1MB
-
memory/4296-139-0x0000000005550000-0x000000000565A000-memory.dmpFilesize
1.0MB
-
memory/4296-140-0x0000000005480000-0x0000000005492000-memory.dmpFilesize
72KB
-
memory/4296-141-0x00000000054E0000-0x000000000551C000-memory.dmpFilesize
240KB
-
memory/4296-142-0x0000000005820000-0x00000000058B2000-memory.dmpFilesize
584KB
-
memory/4296-143-0x00000000065C0000-0x0000000006B64000-memory.dmpFilesize
5.6MB
-
memory/4296-144-0x0000000005960000-0x00000000059C6000-memory.dmpFilesize
408KB
-
memory/4296-145-0x0000000006D40000-0x0000000006F02000-memory.dmpFilesize
1.8MB
-
memory/4296-146-0x0000000007440000-0x000000000796C000-memory.dmpFilesize
5.2MB
-
memory/4296-147-0x0000000008420000-0x0000000008496000-memory.dmpFilesize
472KB
-
memory/4296-148-0x00000000073E0000-0x0000000007430000-memory.dmpFilesize
320KB