Analysis
-
max time kernel
66s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-01-2023 00:21
Static task
static1
Behavioral task
behavioral1
Sample
a4d0dbf9045deed9778135b5af1440c3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a4d0dbf9045deed9778135b5af1440c3.exe
Resource
win10v2004-20220812-en
General
-
Target
a4d0dbf9045deed9778135b5af1440c3.exe
-
Size
355KB
-
MD5
a4d0dbf9045deed9778135b5af1440c3
-
SHA1
008884082f6f52d379311ad9e9f50190b0923a6b
-
SHA256
c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2
-
SHA512
1ffdc95f1600dabe8bd398e5cff1294f1928904793a3d3c1480c199dfff5bd1f02b39032b5da0ad152eafcd68dad285c97b51871d38f3934000f1c2b9a76dffc
-
SSDEEP
6144:9cj+Ny5p0BGxJ1ryIF7AOrjONMd4c7SikPiCsBJV:m+Ny5p0BEf7hONs2h6BJ
Malware Config
Extracted
redline
adel
62.233.51.177:14107
-
auth_value
6ba5b78fc0fccdad3cc87ea2ca866fc2
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
a4d0dbf9045deed9778135b5af1440c3.exedescription pid process target process PID 2812 set thread context of 4596 2812 a4d0dbf9045deed9778135b5af1440c3.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5036 2812 WerFault.exe a4d0dbf9045deed9778135b5af1440c3.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 4596 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 4596 vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
a4d0dbf9045deed9778135b5af1440c3.exedescription pid process target process PID 2812 wrote to memory of 4596 2812 a4d0dbf9045deed9778135b5af1440c3.exe vbc.exe PID 2812 wrote to memory of 4596 2812 a4d0dbf9045deed9778135b5af1440c3.exe vbc.exe PID 2812 wrote to memory of 4596 2812 a4d0dbf9045deed9778135b5af1440c3.exe vbc.exe PID 2812 wrote to memory of 4596 2812 a4d0dbf9045deed9778135b5af1440c3.exe vbc.exe PID 2812 wrote to memory of 4596 2812 a4d0dbf9045deed9778135b5af1440c3.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4d0dbf9045deed9778135b5af1440c3.exe"C:\Users\Admin\AppData\Local\Temp\a4d0dbf9045deed9778135b5af1440c3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 2522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2812 -ip 28121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4596-132-0x0000000000000000-mapping.dmp
-
memory/4596-133-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4596-138-0x0000000005B50000-0x0000000006168000-memory.dmpFilesize
6.1MB
-
memory/4596-139-0x0000000005640000-0x000000000574A000-memory.dmpFilesize
1.0MB
-
memory/4596-140-0x0000000002F60000-0x0000000002F72000-memory.dmpFilesize
72KB
-
memory/4596-141-0x0000000005530000-0x000000000556C000-memory.dmpFilesize
240KB
-
memory/4596-142-0x0000000005800000-0x0000000005866000-memory.dmpFilesize
408KB
-
memory/4596-143-0x0000000006410000-0x00000000064A2000-memory.dmpFilesize
584KB
-
memory/4596-144-0x0000000006A60000-0x0000000007004000-memory.dmpFilesize
5.6MB
-
memory/4596-145-0x0000000006680000-0x0000000006842000-memory.dmpFilesize
1.8MB
-
memory/4596-146-0x0000000007540000-0x0000000007A6C000-memory.dmpFilesize
5.2MB