Analysis
-
max time kernel
41s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28/12/2022, 17:05
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
8 signatures
150 seconds
General
-
Target
file.exe
-
Size
365KB
-
MD5
7d6577e6a4b43a2f602ffcf8707b0154
-
SHA1
954499b40da009833dd6cc5af57e8faff76f8515
-
SHA256
6d70dfa130f8aba153401722f06c431a2a48fc42c2613e4dfb2c4695f672a507
-
SHA512
604b70e2d2f1cf3de7e3965125fee16253c86b5b0edc3dc149340bb42a025263e7a0c6f935ad14f46f8b51d5d565f2081130aa87601d7b21859c7887917b6380
-
SSDEEP
6144:kBh93Zw9Cqf37obrLkAO/Jbxr6M4bDT2wxEMB6F+9FtsnIEe:kBh93Zw9VdN9xR4bDT/B6F+9FzEe
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
pub2
C2
89.22.231.25:45245
Attributes
-
auth_value
ea9464d486a641bb513057e5f63399e1
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1512 set thread context of 1932 1512 file.exe 28 -
Program crash 1 IoCs
pid pid_target Process procid_target 1996 1512 WerFault.exe 26 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1932 vbc.exe 1932 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1932 vbc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1932 1512 file.exe 28 PID 1512 wrote to memory of 1932 1512 file.exe 28 PID 1512 wrote to memory of 1932 1512 file.exe 28 PID 1512 wrote to memory of 1932 1512 file.exe 28 PID 1512 wrote to memory of 1932 1512 file.exe 28 PID 1512 wrote to memory of 1932 1512 file.exe 28 PID 1512 wrote to memory of 1996 1512 file.exe 29 PID 1512 wrote to memory of 1996 1512 file.exe 29 PID 1512 wrote to memory of 1996 1512 file.exe 29 PID 1512 wrote to memory of 1996 1512 file.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 482⤵
- Program crash
PID:1996
-