Analysis
-
max time kernel
90s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2022 04:02
Static task
static1
Behavioral task
behavioral1
Sample
69a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc.exe
Resource
win10v2004-20220901-en
General
-
Target
69a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc.exe
-
Size
403KB
-
MD5
85096ded58b9163ddc21460fbc98632e
-
SHA1
aa24d8a0180423a9ee9a5c79f3f6d245cc8b3298
-
SHA256
69a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc
-
SHA512
c4f2977f4787e8f7c38e81fda6808c8b7983d8d5c6e803a21414a90488bb8ced00ce9dbeae57a922afac01720448da0733aef956809b831b059b097cfd49e3a8
-
SSDEEP
6144:T2P7Eo0YnmWe9+GC0aNCUa/0O0AOY2iTVtsuMSIIJRjN3/Sta:T2P7Eo0YnmWe9cKvZ9HLJRgE
Malware Config
Extracted
redline
11
79.137.202.18:45218
-
auth_value
107e09eee63158d2488feb03dac75204
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
69a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc.exedescription pid process target process PID 476 set thread context of 1620 476 69a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3536 476 WerFault.exe 69a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 1620 vbc.exe 1620 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1620 vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
69a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc.exedescription pid process target process PID 476 wrote to memory of 1620 476 69a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc.exe vbc.exe PID 476 wrote to memory of 1620 476 69a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc.exe vbc.exe PID 476 wrote to memory of 1620 476 69a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc.exe vbc.exe PID 476 wrote to memory of 1620 476 69a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc.exe vbc.exe PID 476 wrote to memory of 1620 476 69a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc.exe"C:\Users\Admin\AppData\Local\Temp\69a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 476 -s 2482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 476 -ip 4761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1620-132-0x0000000000000000-mapping.dmp
-
memory/1620-133-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1620-138-0x0000000006050000-0x0000000006668000-memory.dmpFilesize
6.1MB
-
memory/1620-139-0x0000000005BD0000-0x0000000005CDA000-memory.dmpFilesize
1.0MB
-
memory/1620-140-0x0000000005B00000-0x0000000005B12000-memory.dmpFilesize
72KB
-
memory/1620-141-0x0000000005B60000-0x0000000005B9C000-memory.dmpFilesize
240KB
-
memory/1620-142-0x0000000006C20000-0x00000000071C4000-memory.dmpFilesize
5.6MB
-
memory/1620-143-0x0000000006670000-0x0000000006702000-memory.dmpFilesize
584KB
-
memory/1620-144-0x0000000005FE0000-0x0000000006046000-memory.dmpFilesize
408KB
-
memory/1620-145-0x0000000008020000-0x00000000081E2000-memory.dmpFilesize
1.8MB
-
memory/1620-146-0x0000000008720000-0x0000000008C4C000-memory.dmpFilesize
5.2MB
-
memory/1620-147-0x0000000007430000-0x00000000074A6000-memory.dmpFilesize
472KB
-
memory/1620-148-0x00000000074B0000-0x0000000007500000-memory.dmpFilesize
320KB