Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-01-2023 02:11
Static task
static1
Behavioral task
behavioral1
Sample
b89982510003a83b72e023cefc4edd8e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b89982510003a83b72e023cefc4edd8e.exe
Resource
win10v2004-20220901-en
General
-
Target
b89982510003a83b72e023cefc4edd8e.exe
-
Size
1.9MB
-
MD5
b89982510003a83b72e023cefc4edd8e
-
SHA1
b97b061a10191eb3ce6382b6ce55b5bc0b3108fc
-
SHA256
15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd
-
SHA512
71fd21d18931d3bc5c3f0bc395df644d77af65a2ffbb83e9b23eaae42322710e62a6a658938d763b1547077433f06a99d6fcfed18787545ccaa8c2de21dc11e5
-
SSDEEP
49152:V5Ov3R+uH6r5eKowZO1Oz3tLcmkDLLEYzdGPET:V5Gh+iOz3tLwnRGi
Malware Config
Extracted
redline
LogsDiller Cloud (Telegram: @logsdillabot)
51.210.137.6:47909
-
auth_value
c2955ed3813a798683a185a82e949f88
Extracted
redline
socicalbot
149.28.205.74:2470
-
auth_value
9c51f0d7102febd61d441fffb9c4bb47
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 2 IoCs
Processes:
WScript.exeflow pid process 3 1104 WScript.exe 4 1104 WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
tel.exefcc.exejjj.exepid process 1560 tel.exe 1224 fcc.exe 684 jjj.exe -
Loads dropped DLL 14 IoCs
Processes:
b89982510003a83b72e023cefc4edd8e.exeWerFault.exepid process 2028 b89982510003a83b72e023cefc4edd8e.exe 2028 b89982510003a83b72e023cefc4edd8e.exe 2028 b89982510003a83b72e023cefc4edd8e.exe 2028 b89982510003a83b72e023cefc4edd8e.exe 2028 b89982510003a83b72e023cefc4edd8e.exe 2028 b89982510003a83b72e023cefc4edd8e.exe 2028 b89982510003a83b72e023cefc4edd8e.exe 2028 b89982510003a83b72e023cefc4edd8e.exe 2028 b89982510003a83b72e023cefc4edd8e.exe 2028 b89982510003a83b72e023cefc4edd8e.exe 2028 b89982510003a83b72e023cefc4edd8e.exe 480 WerFault.exe 480 WerFault.exe 480 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
jjj.exedescription pid process target process PID 684 set thread context of 1068 684 jjj.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 480 684 WerFault.exe jjj.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 1068 vbc.exe 1068 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1068 vbc.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
b89982510003a83b72e023cefc4edd8e.exetel.exefcc.exejjj.exedescription pid process target process PID 2028 wrote to memory of 1104 2028 b89982510003a83b72e023cefc4edd8e.exe WScript.exe PID 2028 wrote to memory of 1104 2028 b89982510003a83b72e023cefc4edd8e.exe WScript.exe PID 2028 wrote to memory of 1104 2028 b89982510003a83b72e023cefc4edd8e.exe WScript.exe PID 2028 wrote to memory of 1104 2028 b89982510003a83b72e023cefc4edd8e.exe WScript.exe PID 2028 wrote to memory of 1560 2028 b89982510003a83b72e023cefc4edd8e.exe tel.exe PID 2028 wrote to memory of 1560 2028 b89982510003a83b72e023cefc4edd8e.exe tel.exe PID 2028 wrote to memory of 1560 2028 b89982510003a83b72e023cefc4edd8e.exe tel.exe PID 2028 wrote to memory of 1560 2028 b89982510003a83b72e023cefc4edd8e.exe tel.exe PID 2028 wrote to memory of 1224 2028 b89982510003a83b72e023cefc4edd8e.exe fcc.exe PID 2028 wrote to memory of 1224 2028 b89982510003a83b72e023cefc4edd8e.exe fcc.exe PID 2028 wrote to memory of 1224 2028 b89982510003a83b72e023cefc4edd8e.exe fcc.exe PID 2028 wrote to memory of 1224 2028 b89982510003a83b72e023cefc4edd8e.exe fcc.exe PID 2028 wrote to memory of 684 2028 b89982510003a83b72e023cefc4edd8e.exe jjj.exe PID 2028 wrote to memory of 684 2028 b89982510003a83b72e023cefc4edd8e.exe jjj.exe PID 2028 wrote to memory of 684 2028 b89982510003a83b72e023cefc4edd8e.exe jjj.exe PID 2028 wrote to memory of 684 2028 b89982510003a83b72e023cefc4edd8e.exe jjj.exe PID 1560 wrote to memory of 992 1560 tel.exe vbc.exe PID 1560 wrote to memory of 992 1560 tel.exe vbc.exe PID 1560 wrote to memory of 992 1560 tel.exe vbc.exe PID 1560 wrote to memory of 992 1560 tel.exe vbc.exe PID 1560 wrote to memory of 992 1560 tel.exe vbc.exe PID 1224 wrote to memory of 776 1224 fcc.exe cmd.exe PID 1224 wrote to memory of 776 1224 fcc.exe cmd.exe PID 1224 wrote to memory of 776 1224 fcc.exe cmd.exe PID 1224 wrote to memory of 776 1224 fcc.exe cmd.exe PID 684 wrote to memory of 1068 684 jjj.exe vbc.exe PID 684 wrote to memory of 1068 684 jjj.exe vbc.exe PID 684 wrote to memory of 1068 684 jjj.exe vbc.exe PID 684 wrote to memory of 1068 684 jjj.exe vbc.exe PID 684 wrote to memory of 1068 684 jjj.exe vbc.exe PID 684 wrote to memory of 1068 684 jjj.exe vbc.exe PID 684 wrote to memory of 480 684 jjj.exe WerFault.exe PID 684 wrote to memory of 480 684 jjj.exe WerFault.exe PID 684 wrote to memory of 480 684 jjj.exe WerFault.exe PID 684 wrote to memory of 480 684 jjj.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b89982510003a83b72e023cefc4edd8e.exe"C:\Users\Admin\AppData\Local\Temp\b89982510003a83b72e023cefc4edd8e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"2⤵
- Blocklisted process makes network request
-
C:\Windows\Temp\tel.exe"C:\Windows\Temp\tel.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
C:\Windows\Temp\fcc.exe"C:\Windows\Temp\fcc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe\bebra.exe3⤵
-
C:\Windows\Temp\jjj.exe"C:\Windows\Temp\jjj.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 483⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\1.vbsFilesize
105B
MD507e1e48d3df9b78f2fc2db6cf3f81a55
SHA18e998dec6ad9c779e5eeebb5cf40f2f436dfc26f
SHA2569b6bea54b95a14045f6b527675a9456fd4d8d22dcd22e0d1eedac440fe8b02fb
SHA512001a1de66dbec029dc2422ff93e0ba6b882ba54f3316b4e4a912052d6d054e77142432f8550281c3edec98b07a6c12c5d0659ed1f1af143c2b9edcd6a2a18b9b
-
C:\Windows\Temp\fcc.exeFilesize
2.5MB
MD54075e44d856c8340053b221f6077281b
SHA1fd1adf1a8dd0cc3e6f5185668e85015f7bd449ac
SHA2562101eaf3e97324925e22a012d91325dce329c18563a91919dd8a699d03b28d6b
SHA512d1fdaa55250b0b7fe589419b7068c7c38a6af8a96100844e081cbc619801e5a33c30f1ca3cbe51312776e6613d92fab7ddf40661a6e611459666b56698337286
-
C:\Windows\Temp\jjj.exeFilesize
278KB
MD56508fe38d249087a23ed56e7c6d8be2e
SHA1fbe6a6a49911f961143a1091f26ab63a8974f604
SHA2569aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025
SHA512342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195
-
C:\Windows\Temp\tel.exeFilesize
355KB
MD589a44c83a4cb4ae7c59c5afde077ef7a
SHA1e6538e42223ca306686cc2a6be246bb8f6c7690b
SHA2568fb82c9be07771a2f7a7a436f01283387516a8223aa7f6dadac71403066d8d83
SHA51248e9e3d76544967ce74b8bcd5d51c966bd8c448c33575b48464d968b7e29b81b05765673f0382f9f71834339c9f2f0e7e115f557f1d86b5764e363481623726d
-
\Windows\Temp\fcc.exeFilesize
2.5MB
MD54075e44d856c8340053b221f6077281b
SHA1fd1adf1a8dd0cc3e6f5185668e85015f7bd449ac
SHA2562101eaf3e97324925e22a012d91325dce329c18563a91919dd8a699d03b28d6b
SHA512d1fdaa55250b0b7fe589419b7068c7c38a6af8a96100844e081cbc619801e5a33c30f1ca3cbe51312776e6613d92fab7ddf40661a6e611459666b56698337286
-
\Windows\Temp\fcc.exeFilesize
2.5MB
MD54075e44d856c8340053b221f6077281b
SHA1fd1adf1a8dd0cc3e6f5185668e85015f7bd449ac
SHA2562101eaf3e97324925e22a012d91325dce329c18563a91919dd8a699d03b28d6b
SHA512d1fdaa55250b0b7fe589419b7068c7c38a6af8a96100844e081cbc619801e5a33c30f1ca3cbe51312776e6613d92fab7ddf40661a6e611459666b56698337286
-
\Windows\Temp\fcc.exeFilesize
2.5MB
MD54075e44d856c8340053b221f6077281b
SHA1fd1adf1a8dd0cc3e6f5185668e85015f7bd449ac
SHA2562101eaf3e97324925e22a012d91325dce329c18563a91919dd8a699d03b28d6b
SHA512d1fdaa55250b0b7fe589419b7068c7c38a6af8a96100844e081cbc619801e5a33c30f1ca3cbe51312776e6613d92fab7ddf40661a6e611459666b56698337286
-
\Windows\Temp\jjj.exeFilesize
278KB
MD56508fe38d249087a23ed56e7c6d8be2e
SHA1fbe6a6a49911f961143a1091f26ab63a8974f604
SHA2569aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025
SHA512342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195
-
\Windows\Temp\jjj.exeFilesize
278KB
MD56508fe38d249087a23ed56e7c6d8be2e
SHA1fbe6a6a49911f961143a1091f26ab63a8974f604
SHA2569aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025
SHA512342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195
-
\Windows\Temp\jjj.exeFilesize
278KB
MD56508fe38d249087a23ed56e7c6d8be2e
SHA1fbe6a6a49911f961143a1091f26ab63a8974f604
SHA2569aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025
SHA512342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195
-
\Windows\Temp\jjj.exeFilesize
278KB
MD56508fe38d249087a23ed56e7c6d8be2e
SHA1fbe6a6a49911f961143a1091f26ab63a8974f604
SHA2569aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025
SHA512342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195
-
\Windows\Temp\jjj.exeFilesize
278KB
MD56508fe38d249087a23ed56e7c6d8be2e
SHA1fbe6a6a49911f961143a1091f26ab63a8974f604
SHA2569aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025
SHA512342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195
-
\Windows\Temp\jjj.exeFilesize
278KB
MD56508fe38d249087a23ed56e7c6d8be2e
SHA1fbe6a6a49911f961143a1091f26ab63a8974f604
SHA2569aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025
SHA512342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195
-
\Windows\Temp\jjj.exeFilesize
278KB
MD56508fe38d249087a23ed56e7c6d8be2e
SHA1fbe6a6a49911f961143a1091f26ab63a8974f604
SHA2569aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025
SHA512342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195
-
\Windows\Temp\tel.exeFilesize
355KB
MD589a44c83a4cb4ae7c59c5afde077ef7a
SHA1e6538e42223ca306686cc2a6be246bb8f6c7690b
SHA2568fb82c9be07771a2f7a7a436f01283387516a8223aa7f6dadac71403066d8d83
SHA51248e9e3d76544967ce74b8bcd5d51c966bd8c448c33575b48464d968b7e29b81b05765673f0382f9f71834339c9f2f0e7e115f557f1d86b5764e363481623726d
-
\Windows\Temp\tel.exeFilesize
355KB
MD589a44c83a4cb4ae7c59c5afde077ef7a
SHA1e6538e42223ca306686cc2a6be246bb8f6c7690b
SHA2568fb82c9be07771a2f7a7a436f01283387516a8223aa7f6dadac71403066d8d83
SHA51248e9e3d76544967ce74b8bcd5d51c966bd8c448c33575b48464d968b7e29b81b05765673f0382f9f71834339c9f2f0e7e115f557f1d86b5764e363481623726d
-
\Windows\Temp\tel.exeFilesize
355KB
MD589a44c83a4cb4ae7c59c5afde077ef7a
SHA1e6538e42223ca306686cc2a6be246bb8f6c7690b
SHA2568fb82c9be07771a2f7a7a436f01283387516a8223aa7f6dadac71403066d8d83
SHA51248e9e3d76544967ce74b8bcd5d51c966bd8c448c33575b48464d968b7e29b81b05765673f0382f9f71834339c9f2f0e7e115f557f1d86b5764e363481623726d
-
\Windows\Temp\tel.exeFilesize
355KB
MD589a44c83a4cb4ae7c59c5afde077ef7a
SHA1e6538e42223ca306686cc2a6be246bb8f6c7690b
SHA2568fb82c9be07771a2f7a7a436f01283387516a8223aa7f6dadac71403066d8d83
SHA51248e9e3d76544967ce74b8bcd5d51c966bd8c448c33575b48464d968b7e29b81b05765673f0382f9f71834339c9f2f0e7e115f557f1d86b5764e363481623726d
-
memory/480-91-0x0000000000000000-mapping.dmp
-
memory/684-73-0x0000000000000000-mapping.dmp
-
memory/776-81-0x0000000000000000-mapping.dmp
-
memory/992-74-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/992-77-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1068-90-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1068-89-0x000000000041B59A-mapping.dmp
-
memory/1068-84-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1068-92-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1104-55-0x0000000000000000-mapping.dmp
-
memory/1224-67-0x0000000000000000-mapping.dmp
-
memory/1560-61-0x0000000000000000-mapping.dmp
-
memory/2028-54-0x0000000075441000-0x0000000075443000-memory.dmpFilesize
8KB