Analysis
-
max time kernel
43s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26-12-2022 19:28
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
425KB
-
MD5
df78d30c9b01313df869cfe857b14f13
-
SHA1
59d6b5b9dca6cd249caa89209bdc781e3da1f050
-
SHA256
dd06232c864c14a9a494b6e023b114e526ea57dcb8366bf9a6248fd68eab2e12
-
SHA512
99dc96b6f9683b9973abc493b71c60289102621af0e20e1355b4462212a9ee66bcd6fdfae21f499940da85b6177e61ebdc9b4d2e94debc80e4fac1e068564144
-
SSDEEP
12288:XuqM5hh3qkzf7rJRd6UI5SnHJ/qnKkgT3:06kXzdDCnKkgL
Malware Config
Extracted
redline
Install
159.223.106.156:81
-
auth_value
f9affed97251c08e7a096257ba9edfb2
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 2016 set thread context of 1868 2016 file.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1496 2016 WerFault.exe file.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 1868 vbc.exe 1868 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1868 vbc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
file.exedescription pid process target process PID 2016 wrote to memory of 1868 2016 file.exe vbc.exe PID 2016 wrote to memory of 1868 2016 file.exe vbc.exe PID 2016 wrote to memory of 1868 2016 file.exe vbc.exe PID 2016 wrote to memory of 1868 2016 file.exe vbc.exe PID 2016 wrote to memory of 1868 2016 file.exe vbc.exe PID 2016 wrote to memory of 1868 2016 file.exe vbc.exe PID 2016 wrote to memory of 1496 2016 file.exe WerFault.exe PID 2016 wrote to memory of 1496 2016 file.exe WerFault.exe PID 2016 wrote to memory of 1496 2016 file.exe WerFault.exe PID 2016 wrote to memory of 1496 2016 file.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 482⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1496-64-0x0000000000000000-mapping.dmp
-
memory/1868-54-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1868-56-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1868-61-0x000000000041B58E-mapping.dmp
-
memory/1868-62-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1868-63-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1868-65-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB