redline | 6937a36bc3586d7c48272e87491fd0032748ed28c2c390fb34004348f4486cd3

Analysis

max time kernel
91s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2023, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6937a36bc3586d7c48272e87491fd0032748ed28c2c390fb34004348f4486cd3.exe
Size

354KB
MD5

7a812b763e65a992a48ddf3a879514ac
SHA1

673978eefc253b13486c720844078bb169e8ae39
SHA256

6937a36bc3586d7c48272e87491fd0032748ed28c2c390fb34004348f4486cd3
SHA512

b58fad281e41b56945625ab55745636651c0e3f053d85ca9cc78c50188f8a49c20e79849592ce138b8c5b72b84f186df7972dd669272eb1068cf725bbfb9d79e
SSDEEP

6144:OAxTGwTljb7s6Du1grflAOszj+Wh/P699IE+aQ84utKa+qBdnkIJlGCAuW/KrF5N:pFGwaPWKzp/P6UE+ODuUF5

Score

10^/10

redline pub3 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

pub3

89.22.231.25:45245

Attributes

auth_value
ffd0fd0d5630c2c573c643bde2ed50b3

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4800 set thread context of 4916	4800	6937a36bc3586d7c48272e87491fd0032748ed28c2c390fb34004348f4486cd3.exe	84

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4936	4800	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4916	vbc.exe
4916	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4916	vbc.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 4916	4800	6937a36bc3586d7c48272e87491fd0032748ed28c2c390fb34004348f4486cd3.exe	84
PID 4800 wrote to memory of 4916	4800	6937a36bc3586d7c48272e87491fd0032748ed28c2c390fb34004348f4486cd3.exe	84
PID 4800 wrote to memory of 4916	4800	6937a36bc3586d7c48272e87491fd0032748ed28c2c390fb34004348f4486cd3.exe	84
PID 4800 wrote to memory of 4916	4800	6937a36bc3586d7c48272e87491fd0032748ed28c2c390fb34004348f4486cd3.exe	84
PID 4800 wrote to memory of 4916	4800	6937a36bc3586d7c48272e87491fd0032748ed28c2c390fb34004348f4486cd3.exe	84

C:\Users\Admin\AppData\Local\Temp\6937a36bc3586d7c48272e87491fd0032748ed28c2c390fb34004348f4486cd3.exe
"C:\Users\Admin\AppData\Local\Temp\6937a36bc3586d7c48272e87491fd0032748ed28c2c390fb34004348f4486cd3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 252
  2⤵
  - Program crash
  PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4800 -ip 4800
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4916-133-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4916-138-0x0000000005510000-0x0000000005B28000-memory.dmp

Filesize
6.1MB

Download
memory/4916-139-0x0000000005060000-0x000000000516A000-memory.dmp

Filesize
1.0MB

Download
memory/4916-140-0x0000000004F90000-0x0000000004FA2000-memory.dmp

Filesize
72KB

Download
memory/4916-141-0x0000000004FF0000-0x000000000502C000-memory.dmp

Filesize
240KB

Download
memory/4916-142-0x0000000005300000-0x0000000005366000-memory.dmp

Filesize
408KB

Download
memory/4916-143-0x00000000063E0000-0x0000000006984000-memory.dmp

Filesize
5.6MB

Download
memory/4916-144-0x0000000005F10000-0x0000000005FA2000-memory.dmp

Filesize
584KB

Download
memory/4916-145-0x0000000006990000-0x0000000006B52000-memory.dmp

Filesize
1.8MB

Download
memory/4916-146-0x0000000007090000-0x00000000075BC000-memory.dmp

Filesize
5.2MB

Download