redline | 5e0785abbbf807afc984a87eed6739c071ae85c2025c1b5c44eaa4a6561c2b76

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/01/2023, 03:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b45c369861674c8d94c2249c1983488585904f21898330a3b435d9d5a5a6c5d1.exe
Size

285KB
MD5

90c10a5ed9337bea9e9f7ba220d286c3
SHA1

c12914a4bba77df18707d96cb05991aa847d7487
SHA256

b45c369861674c8d94c2249c1983488585904f21898330a3b435d9d5a5a6c5d1
SHA512

c84946f98ba7e88445ab7738da694610f914087696f9839224f994770934ba22bf4501319d4789cef1bb63694c6bec35866d54518aae8efdbccbb7616e3c8880
SSDEEP

6144:KWd94PYZfJfeB76+rG2lL0BEWD1wjMSfsog4DCRl:KWd94PYRmGKYBEWhwbfbg4DCP

Score

10^/10

redline pub4 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

pub4

89.22.231.25:45245

Attributes

auth_value
0da82ae70515a79fe7ddf40ce11d2c47

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 1788	1108	b45c369861674c8d94c2249c1983488585904f21898330a3b435d9d5a5a6c5d1.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1788	vbc.exe
1788	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	vbc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1788	1108	b45c369861674c8d94c2249c1983488585904f21898330a3b435d9d5a5a6c5d1.exe	29
PID 1108 wrote to memory of 1788	1108	b45c369861674c8d94c2249c1983488585904f21898330a3b435d9d5a5a6c5d1.exe	29
PID 1108 wrote to memory of 1788	1108	b45c369861674c8d94c2249c1983488585904f21898330a3b435d9d5a5a6c5d1.exe	29
PID 1108 wrote to memory of 1788	1108	b45c369861674c8d94c2249c1983488585904f21898330a3b435d9d5a5a6c5d1.exe	29
PID 1108 wrote to memory of 1788	1108	b45c369861674c8d94c2249c1983488585904f21898330a3b435d9d5a5a6c5d1.exe	29
PID 1108 wrote to memory of 1788	1108	b45c369861674c8d94c2249c1983488585904f21898330a3b435d9d5a5a6c5d1.exe	29

C:\Users\Admin\AppData\Local\Temp\b45c369861674c8d94c2249c1983488585904f21898330a3b435d9d5a5a6c5d1.exe
"C:\Users\Admin\AppData\Local\Temp\b45c369861674c8d94c2249c1983488585904f21898330a3b435d9d5a5a6c5d1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1788-54-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1788-56-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1788-62-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1788-63-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/1788-64-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download