Analysis
-
max time kernel
73s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2022 12:14
Static task
static1
Behavioral task
behavioral1
Sample
93a3fff460b764f8f0576c762aec221e456335ef7ee87f90116da28377092ae1.exe
Resource
win10v2004-20221111-en
General
-
Target
93a3fff460b764f8f0576c762aec221e456335ef7ee87f90116da28377092ae1.exe
-
Size
403KB
-
MD5
fb56b2c84ca9f2f5ddcac30e731a87ea
-
SHA1
387b1dcee2e2bd71c3f998dfe36d51c3c4b1554f
-
SHA256
93a3fff460b764f8f0576c762aec221e456335ef7ee87f90116da28377092ae1
-
SHA512
940563616d7219acea46b0bf3e055634ec3b7c9ce4888dcae893c8774bf76d9cd42711bc2f46a30c21cf15074793a1f9b585326bd1c901d823e152469d96801b
-
SSDEEP
6144:8mHrko0wXOC99+mKpymC0a/QuUAOOSTkN6vrDYJ2++zPd/Sta:8mHrko0wXOC99QdYNeDYkzsE
Malware Config
Extracted
redline
11
79.137.202.18:45218
-
auth_value
107e09eee63158d2488feb03dac75204
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
93a3fff460b764f8f0576c762aec221e456335ef7ee87f90116da28377092ae1.exedescription pid process target process PID 4592 set thread context of 2012 4592 93a3fff460b764f8f0576c762aec221e456335ef7ee87f90116da28377092ae1.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4420 4592 WerFault.exe 93a3fff460b764f8f0576c762aec221e456335ef7ee87f90116da28377092ae1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 2012 vbc.exe 2012 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 2012 vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
93a3fff460b764f8f0576c762aec221e456335ef7ee87f90116da28377092ae1.exedescription pid process target process PID 4592 wrote to memory of 2012 4592 93a3fff460b764f8f0576c762aec221e456335ef7ee87f90116da28377092ae1.exe vbc.exe PID 4592 wrote to memory of 2012 4592 93a3fff460b764f8f0576c762aec221e456335ef7ee87f90116da28377092ae1.exe vbc.exe PID 4592 wrote to memory of 2012 4592 93a3fff460b764f8f0576c762aec221e456335ef7ee87f90116da28377092ae1.exe vbc.exe PID 4592 wrote to memory of 2012 4592 93a3fff460b764f8f0576c762aec221e456335ef7ee87f90116da28377092ae1.exe vbc.exe PID 4592 wrote to memory of 2012 4592 93a3fff460b764f8f0576c762aec221e456335ef7ee87f90116da28377092ae1.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\93a3fff460b764f8f0576c762aec221e456335ef7ee87f90116da28377092ae1.exe"C:\Users\Admin\AppData\Local\Temp\93a3fff460b764f8f0576c762aec221e456335ef7ee87f90116da28377092ae1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 2562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4592 -ip 45921⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2012-132-0x0000000000000000-mapping.dmp
-
memory/2012-133-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2012-138-0x00000000054F0000-0x0000000005B08000-memory.dmpFilesize
6.1MB
-
memory/2012-139-0x0000000005070000-0x000000000517A000-memory.dmpFilesize
1.0MB
-
memory/2012-140-0x0000000004FA0000-0x0000000004FB2000-memory.dmpFilesize
72KB
-
memory/2012-141-0x0000000005000000-0x000000000503C000-memory.dmpFilesize
240KB
-
memory/2012-142-0x0000000006240000-0x00000000067E4000-memory.dmpFilesize
5.6MB
-
memory/2012-143-0x0000000005D70000-0x0000000005E02000-memory.dmpFilesize
584KB
-
memory/2012-144-0x0000000005E10000-0x0000000005E76000-memory.dmpFilesize
408KB
-
memory/2012-145-0x0000000007760000-0x0000000007922000-memory.dmpFilesize
1.8MB
-
memory/2012-146-0x0000000007E60000-0x000000000838C000-memory.dmpFilesize
5.2MB
-
memory/2012-147-0x0000000006BE0000-0x0000000006C56000-memory.dmpFilesize
472KB
-
memory/2012-148-0x0000000006C60000-0x0000000006CB0000-memory.dmpFilesize
320KB