redline | c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2

Analysis

max time kernel
66s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2023 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4d0dbf9045deed9778135b5af1440c3.exe
Size

355KB
MD5

a4d0dbf9045deed9778135b5af1440c3
SHA1

008884082f6f52d379311ad9e9f50190b0923a6b
SHA256

c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2
SHA512

1ffdc95f1600dabe8bd398e5cff1294f1928904793a3d3c1480c199dfff5bd1f02b39032b5da0ad152eafcd68dad285c97b51871d38f3934000f1c2b9a76dffc
SSDEEP

6144:9cj+Ny5p0BGxJ1ryIF7AOrjONMd4c7SikPiCsBJV:m+Ny5p0BEf7hONs2h6BJ

Score

10^/10

redline adel infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

adel

62.233.51.177:14107

Attributes

auth_value
6ba5b78fc0fccdad3cc87ea2ca866fc2

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

a4d0dbf9045deed9778135b5af1440c3.exe

description pid process target process

PID 2812 set thread context of 4596 2812 a4d0dbf9045deed9778135b5af1440c3.exe vbc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5036 2812 WerFault.exe a4d0dbf9045deed9778135b5af1440c3.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

4596 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 4596 vbc.exe

description	pid	process	target process
PID 2812 set thread context of 4596	2812	a4d0dbf9045deed9778135b5af1440c3.exe	vbc.exe

pid	pid_target	process	target process
5036	2812	WerFault.exe	a4d0dbf9045deed9778135b5af1440c3.exe

pid	process
4596	vbc.exe

description	pid	process
Token: SeDebugPrivilege	4596	vbc.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

a4d0dbf9045deed9778135b5af1440c3.exe

description	pid	process	target process
PID 2812 wrote to memory of 4596	2812	a4d0dbf9045deed9778135b5af1440c3.exe	vbc.exe
PID 2812 wrote to memory of 4596	2812	a4d0dbf9045deed9778135b5af1440c3.exe	vbc.exe
PID 2812 wrote to memory of 4596	2812	a4d0dbf9045deed9778135b5af1440c3.exe	vbc.exe
PID 2812 wrote to memory of 4596	2812	a4d0dbf9045deed9778135b5af1440c3.exe	vbc.exe
PID 2812 wrote to memory of 4596	2812	a4d0dbf9045deed9778135b5af1440c3.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\a4d0dbf9045deed9778135b5af1440c3.exe
"C:\Users\Admin\AppData\Local\Temp\a4d0dbf9045deed9778135b5af1440c3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 252
2⤵
- Program crash
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2812 -ip 2812
1⤵
PID:4460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4596-132-0x0000000000000000-mapping.dmp

Download
memory/4596-133-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4596-138-0x0000000005B50000-0x0000000006168000-memory.dmp

Filesize
6.1MB

Download
memory/4596-139-0x0000000005640000-0x000000000574A000-memory.dmp

Filesize
1.0MB

Download
memory/4596-140-0x0000000002F60000-0x0000000002F72000-memory.dmp

Filesize
72KB

Download
memory/4596-141-0x0000000005530000-0x000000000556C000-memory.dmp

Filesize
240KB

Download
memory/4596-142-0x0000000005800000-0x0000000005866000-memory.dmp

Filesize
408KB

Download
memory/4596-143-0x0000000006410000-0x00000000064A2000-memory.dmp

Filesize
584KB

Download
memory/4596-144-0x0000000006A60000-0x0000000007004000-memory.dmp

Filesize
5.6MB

Download
memory/4596-145-0x0000000006680000-0x0000000006842000-memory.dmp

Filesize
1.8MB

Download
memory/4596-146-0x0000000007540000-0x0000000007A6C000-memory.dmp

Filesize
5.2MB

Download