Analysis
-
max time kernel
61s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-01-2023 02:11
Static task
static1
Behavioral task
behavioral1
Sample
b89982510003a83b72e023cefc4edd8e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b89982510003a83b72e023cefc4edd8e.exe
Resource
win10v2004-20220901-en
General
-
Target
b89982510003a83b72e023cefc4edd8e.exe
-
Size
1.9MB
-
MD5
b89982510003a83b72e023cefc4edd8e
-
SHA1
b97b061a10191eb3ce6382b6ce55b5bc0b3108fc
-
SHA256
15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd
-
SHA512
71fd21d18931d3bc5c3f0bc395df644d77af65a2ffbb83e9b23eaae42322710e62a6a658938d763b1547077433f06a99d6fcfed18787545ccaa8c2de21dc11e5
-
SSDEEP
49152:V5Ov3R+uH6r5eKowZO1Oz3tLcmkDLLEYzdGPET:V5Gh+iOz3tLwnRGi
Malware Config
Extracted
redline
LogsDiller Cloud (Telegram: @logsdillabot)
51.210.137.6:47909
-
auth_value
c2955ed3813a798683a185a82e949f88
Extracted
redline
socicalbot
149.28.205.74:2470
-
auth_value
9c51f0d7102febd61d441fffb9c4bb47
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 7 4268 WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
tel.exefcc.exejjj.exepid process 4600 tel.exe 4400 fcc.exe 2228 jjj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b89982510003a83b72e023cefc4edd8e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation b89982510003a83b72e023cefc4edd8e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
tel.exejjj.exedescription pid process target process PID 4600 set thread context of 3968 4600 tel.exe vbc.exe PID 2228 set thread context of 3336 2228 jjj.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 812 4600 WerFault.exe tel.exe 4448 2228 WerFault.exe jjj.exe -
Modifies registry class 1 IoCs
Processes:
b89982510003a83b72e023cefc4edd8e.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings b89982510003a83b72e023cefc4edd8e.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
vbc.exevbc.exepid process 3968 vbc.exe 3968 vbc.exe 3336 vbc.exe 3336 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exevbc.exedescription pid process Token: SeDebugPrivilege 3968 vbc.exe Token: SeDebugPrivilege 3336 vbc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
b89982510003a83b72e023cefc4edd8e.exefcc.exetel.exejjj.exedescription pid process target process PID 1612 wrote to memory of 4268 1612 b89982510003a83b72e023cefc4edd8e.exe WScript.exe PID 1612 wrote to memory of 4268 1612 b89982510003a83b72e023cefc4edd8e.exe WScript.exe PID 1612 wrote to memory of 4268 1612 b89982510003a83b72e023cefc4edd8e.exe WScript.exe PID 1612 wrote to memory of 4600 1612 b89982510003a83b72e023cefc4edd8e.exe tel.exe PID 1612 wrote to memory of 4600 1612 b89982510003a83b72e023cefc4edd8e.exe tel.exe PID 1612 wrote to memory of 4600 1612 b89982510003a83b72e023cefc4edd8e.exe tel.exe PID 1612 wrote to memory of 4400 1612 b89982510003a83b72e023cefc4edd8e.exe fcc.exe PID 1612 wrote to memory of 4400 1612 b89982510003a83b72e023cefc4edd8e.exe fcc.exe PID 1612 wrote to memory of 4400 1612 b89982510003a83b72e023cefc4edd8e.exe fcc.exe PID 1612 wrote to memory of 2228 1612 b89982510003a83b72e023cefc4edd8e.exe jjj.exe PID 1612 wrote to memory of 2228 1612 b89982510003a83b72e023cefc4edd8e.exe jjj.exe PID 1612 wrote to memory of 2228 1612 b89982510003a83b72e023cefc4edd8e.exe jjj.exe PID 4400 wrote to memory of 1588 4400 fcc.exe cmd.exe PID 4400 wrote to memory of 1588 4400 fcc.exe cmd.exe PID 4400 wrote to memory of 1588 4400 fcc.exe cmd.exe PID 4600 wrote to memory of 3968 4600 tel.exe vbc.exe PID 4600 wrote to memory of 3968 4600 tel.exe vbc.exe PID 4600 wrote to memory of 3968 4600 tel.exe vbc.exe PID 4600 wrote to memory of 3968 4600 tel.exe vbc.exe PID 4600 wrote to memory of 3968 4600 tel.exe vbc.exe PID 2228 wrote to memory of 3336 2228 jjj.exe vbc.exe PID 2228 wrote to memory of 3336 2228 jjj.exe vbc.exe PID 2228 wrote to memory of 3336 2228 jjj.exe vbc.exe PID 2228 wrote to memory of 3336 2228 jjj.exe vbc.exe PID 2228 wrote to memory of 3336 2228 jjj.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b89982510003a83b72e023cefc4edd8e.exe"C:\Users\Admin\AppData\Local\Temp\b89982510003a83b72e023cefc4edd8e.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"2⤵
- Blocklisted process makes network request
PID:4268 -
C:\Windows\Temp\tel.exe"C:\Windows\Temp\tel.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 2523⤵
- Program crash
PID:812 -
C:\Windows\Temp\fcc.exe"C:\Windows\Temp\fcc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe\bebra.exe3⤵PID:1588
-
C:\Windows\Temp\jjj.exe"C:\Windows\Temp\jjj.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 2443⤵
- Program crash
PID:4448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4600 -ip 46001⤵PID:3664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2228 -ip 22281⤵PID:3504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.logFilesize
2KB
MD5c89455577734b863a447e44a57dd60ea
SHA182530ad7e337b4c866beb8e9f1d0e2e0011ed8bc
SHA256bfa39bf8f525794b4bd761834f5e475752a899f7d707932ec4561d656dcbdd70
SHA512bdc2adacc8c447129bd5ad9d4e3cd965ad7e1fd1d7ed6d1e4d92159761c6e1e83a5b30226002dedbacfcd0ccca48d49a1be895c6b2ce73dadf0d89118be72de2
-
C:\Windows\Temp\1.vbsFilesize
105B
MD507e1e48d3df9b78f2fc2db6cf3f81a55
SHA18e998dec6ad9c779e5eeebb5cf40f2f436dfc26f
SHA2569b6bea54b95a14045f6b527675a9456fd4d8d22dcd22e0d1eedac440fe8b02fb
SHA512001a1de66dbec029dc2422ff93e0ba6b882ba54f3316b4e4a912052d6d054e77142432f8550281c3edec98b07a6c12c5d0659ed1f1af143c2b9edcd6a2a18b9b
-
C:\Windows\Temp\fcc.exeFilesize
2.5MB
MD54075e44d856c8340053b221f6077281b
SHA1fd1adf1a8dd0cc3e6f5185668e85015f7bd449ac
SHA2562101eaf3e97324925e22a012d91325dce329c18563a91919dd8a699d03b28d6b
SHA512d1fdaa55250b0b7fe589419b7068c7c38a6af8a96100844e081cbc619801e5a33c30f1ca3cbe51312776e6613d92fab7ddf40661a6e611459666b56698337286
-
C:\Windows\Temp\jjj.exeFilesize
278KB
MD56508fe38d249087a23ed56e7c6d8be2e
SHA1fbe6a6a49911f961143a1091f26ab63a8974f604
SHA2569aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025
SHA512342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195
-
C:\Windows\Temp\jjj.exeFilesize
278KB
MD56508fe38d249087a23ed56e7c6d8be2e
SHA1fbe6a6a49911f961143a1091f26ab63a8974f604
SHA2569aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025
SHA512342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195
-
C:\Windows\Temp\tel.exeFilesize
355KB
MD589a44c83a4cb4ae7c59c5afde077ef7a
SHA1e6538e42223ca306686cc2a6be246bb8f6c7690b
SHA2568fb82c9be07771a2f7a7a436f01283387516a8223aa7f6dadac71403066d8d83
SHA51248e9e3d76544967ce74b8bcd5d51c966bd8c448c33575b48464d968b7e29b81b05765673f0382f9f71834339c9f2f0e7e115f557f1d86b5764e363481623726d
-
C:\Windows\Temp\tel.exeFilesize
355KB
MD589a44c83a4cb4ae7c59c5afde077ef7a
SHA1e6538e42223ca306686cc2a6be246bb8f6c7690b
SHA2568fb82c9be07771a2f7a7a436f01283387516a8223aa7f6dadac71403066d8d83
SHA51248e9e3d76544967ce74b8bcd5d51c966bd8c448c33575b48464d968b7e29b81b05765673f0382f9f71834339c9f2f0e7e115f557f1d86b5764e363481623726d
-
memory/1588-142-0x0000000000000000-mapping.dmp
-
memory/2228-139-0x0000000000000000-mapping.dmp
-
memory/3336-154-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3336-153-0x0000000000000000-mapping.dmp
-
memory/3968-162-0x0000000006EE0000-0x0000000006F56000-memory.dmpFilesize
472KB
-
memory/3968-143-0x0000000000000000-mapping.dmp
-
memory/3968-149-0x0000000005CE0000-0x00000000062F8000-memory.dmpFilesize
6.1MB
-
memory/3968-150-0x0000000005840000-0x000000000594A000-memory.dmpFilesize
1.0MB
-
memory/3968-159-0x0000000005B10000-0x0000000005BA2000-memory.dmpFilesize
584KB
-
memory/3968-152-0x00000000057D0000-0x000000000580C000-memory.dmpFilesize
240KB
-
memory/3968-144-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3968-165-0x0000000007880000-0x0000000007DAC000-memory.dmpFilesize
5.2MB
-
memory/3968-151-0x0000000005770000-0x0000000005782000-memory.dmpFilesize
72KB
-
memory/3968-160-0x00000000068B0000-0x0000000006E54000-memory.dmpFilesize
5.6MB
-
memory/3968-161-0x0000000005C20000-0x0000000005C86000-memory.dmpFilesize
408KB
-
memory/3968-164-0x0000000007180000-0x0000000007342000-memory.dmpFilesize
1.8MB
-
memory/3968-163-0x0000000006F60000-0x0000000006FB0000-memory.dmpFilesize
320KB
-
memory/4268-132-0x0000000000000000-mapping.dmp
-
memory/4400-136-0x0000000000000000-mapping.dmp
-
memory/4600-134-0x0000000000000000-mapping.dmp